Part 1 – Practical Steps to Compliance
Undoubtedly, the digital age has ushered in a number of invaluable benefits for both
businesses and individuals, one such benefit is the increasing ease with which companies
and businesses may collect, process and store personal data and sensitive information.
The Data Protection Act seeks to regulate the protection of such personal data and to
ensure that the privacy of individuals in relation to their personal data is maintained. The
legislation places significant obligations on businesses and organizations in their use,
handling and management of the data. This article identifies and discusses 5 key practical
steps to be taken by an organization to ensure compliance with the Act.
1. A Gap analysis -the very first step is for an organisation to carry out a gap analysis
relating to the data that is being collected, processed and retained. The organisation
should determine what information is gathered, how it is gathered, where it is stored
and who has access to it. The organisation should then evaluate the risks involved in
the processing and storage of that data – what are the chances of data breaches,
illegal access, ransomware and other security concerns.
2. Formulate and Implement security measures – the results of the gap analysis, will
divulge the risks relating to the data and will enable the organisation to determine the
necessary security measures that must be implemented to safeguard the data, this
may include access controls, encryption etc. These actions will form part of a
corrective action plan the organisation must implement. The corrective action plan
should take into consideration the following:
- whether there is a legal basis for each processing (including disclosure and
cross-border transfer) of personal data; - whether the personal data being collected and retained is minimal and
necessary; - whether the personal data being collected is correct, up-to-date and accurate;
- whether the necessary consent has been obtained from data subjects whose
personal data is being processed; - whether adequate security measures are in place to protect the personal
data; - whether there is a retention period and disposal timeline for each type of
personal data; and - how data subjects may exercise their rights under the Act
3. Implement data protection processes – following the review it is now important to
ensure detailed and robust processes involving personal data are in place and which
are compliant with the legislation. These may include data collection processes, data
security procedures, data retention and disposal procedures, data subject requests
handling procedures, marketing procedures and data breach handling processes.
4. Policies – All data protection processes must be documented in a data protection
policy which will set out the organizations’ obligations under the legislation. This
policy should be approved by management and communicated to all staff members.
5. Staying up to data with the regulations – the organisation must keep up with the most
recent laws and modify its data privacy procedures accordingly, non-compliance with
the Data Protection Act could result in large fines and other legal repercussions.
In Part 2 we will consider whether an organisation must register with the Data Protection
Commission, the impact of the Act on the relationship between a data controller and a data
processer as well as if an organisation should appoint a Data Protection Representative and
what the qualifications of the Data Protection Representative should be.
* Please note all persons/entities have until the 17 September 2024 to comply with the
provisions of the Data Protection Act relating to the processing