Duty to Keep Data Secure
Data controllers must keep the data which they hold secure. The security must be appropriate. What is appropriate will depend on the circumstances. Regard may be had to the state of the art and the cost of implementation of measures. The security must be appropriate to the risk represented by the processing and the nature of the data.
Measures must be taken against unauthorised access, alteration, disclosure and the destruction of data. Security measures must be taken to guard against unlawful forms of processing. The duty applies in particular, to the transmission of data over a network. The level of security required may take account of the state of technology and the cost of implementation.
The measures taken must be adequate to secure the data. They must be appropriate to the harm that might result from unauthorised or unlawful processing or from destruction or loss. They must take account of the risk of deliberate attempts to hack, as well as accidental disclosure.
A data processor who processes data on behalf of a data controller must also implement the above security measures. The relationship between the data processor and the data controller should be governed by a contract, which requires that processing be undertaken securely, in accordance with the instructions of the data controller.
The outsourcing controller must ensure that the processor provides sufficient assurance and guarantees in relation to the technical, security and organisational measures applicable to the processing. It must take reasonable steps to ensure ongoing compliance with the measures.
Technical and Organisational Security of Personal Data I
Taking into account the state of the art, the costs of implementation and the nature, scope, contracts and purpose of processing as well as the risk of varying likelihood and severity, to the rights and freedoms of persons, the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The measures shall include as appropriate
- the pseudonymisation and encryption of personal data;
- the ability to ensure its ongoing confidentiality and integrity,
- the availability and resilience of processing systems and services;
- the ability to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Required Level of Security of Personal Data
In assessing the appropriate level of security, account must be taken of the particular risks presented by the processing. This shall include in particular risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted stored or otherwise processed.
Adherence to an approved code of conduct or an approved certification mechanism may be an element by which to demonstrate compliance with the requirements.
The controller and processor must take steps to ensure that any person acting under its authority who has access to personal data does not process it, except on instructions from the controller unless required to do so by domestic or EU Law.
Data controllers must take reasonable steps to ensure that their employees and other persons at the place of work, comply with the relevant obligations. The Data Commission Guidelines give guidance in relation to the procedure and controls which should be provided. For example, a minimum protection would be sufficient password protections on a computer to prevent access. Steps must be taken to ensure that it is reviewed and changed. The computer should preferably be physically secured from all unauthorised access.
People dealing with personal data should only do so where this is strictly necessary for their duties. Those with access should be firewalled from other persons in the organisation, whose access is not necessary. Encryption systems may be appropriate. The system should be able to identify any unauthorised access, together with details of access and the identity of users.
Log on remote access systems should be carefully proofed against risks of breach of security. Precautions should be taken to ensure laptops do not contain any more sensitive information than necessary. There must be appropriate physical and electronic security locks.
Notify the Breach I
In the case of a personal data breach, the controller must without undue delay and where feasible, within 48 hours of having become aware of it, notify the personal data breach to the supervisory authority.
The breach need not be notified that if it is unlikely to result in a risk to the rights and freedoms of natural persons. The controller must be able to demonstrate that this is so, in accordance with the accountability principle.
The notification to the supervisory authority shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the number of records;
- communicate the name and contact details of the data protection officer or another contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including measures to mitigate its possible adverse effects.
Notify the Breach II
Where the notification is not made within 72 hours, it shall be accompanied by the reasons for the delay. The processor must notify the controller without undue delay after becoming aware of a personal data breach.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases, without undue further delay.
The controller must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. The documentation must enable the supervisory authority to verify compliance with these obligations.
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must immediately communicate the breach to the person concerned without undue delay. The communication must describe in clear and plain language the nature of the breach and contain at least the above information.
Exemption from Breach Notification
The above communication above shall not be required if the following conditions are met:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach, in particular, those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures, which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
- it would involve disproportionate effort; in this case, there shall be instead a public communication or similar measure whereby the persons concerned are informed in an equally effective manner.
If the data controller has not communicated the personal data breach to the person concerned, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or decide that any of the excepting conditions are met.
Technical and Organisational Measures by Data Controllers I
The data controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. This must be reviewed and updated where necessary. It must take into account the nature, scope, context and purpose of the processing as well as the risks and varying likelihood and severity for the rights and freedoms of natural persons.
Where proportionate in relation to processing activities, the measures shall include the implementation of appropriate data protection policies by the controller. Adherence to appropriate approved codes of conduct or approved certification mechanisms as provided for in the GDPR may be used in demonstrating compliance with the obligations of the controller.
Technical and Organisational Measures by Data Controllers II
The controller must both at the time of determination of the means for processing and at the time of processing itself, implement appropriate technical and organisational measures such as pseudonymisation, which are designed to implement data protection principles, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the regulation and protect the rights of natural persons the subject of the data.
This action must take into account the state of the art, the cost of implementation and the nature, scope, context and purpose of processing, as well as the risks of varying likelihood and severity, for the rights and freedoms of natural persons posed by the processing,
The controller must implement appropriate technical and organisational measures for ensuring that by default, only personal data necessary for each specific purpose and processing is processed. This obligation applies to the amount of personal data collected, the extent of the processing, the period of storage and their accessibility. In particular, such measures shall ensure that by default, personal data are not made accessible without the individual’s intervention, to an indefinite number of natural persons. An approved certification mechanism may be used as an element of demonstrating compliance with the above requirements.
Duties of Joint Controllers
Where two or more persons jointly decide the purposes and means of processing, they are joint controllers. They must in a transparent manner determine their respective responsibilities for compliance with their obligations, in particular regarding the exercise of the rights of the data subject and the duties to provide information, by means of an arrangement between themselves. This is unless and in so far as their responsibilities are determined by state or EU Law to which they are subject.
The arrangement may designate contact points for data subjects. The arrangement must duly reflect the respective roles and relationships of the joint controllers regarding the persons the subject of the data. The essence of the arrangement should be made available to the data subject.
Irrespective of the terms of the arrangement, the data subject may exercise his rights under the GDPR in respect of and against each of the data controllers.
Designation of Data Protection Officer
The Minister may make regulations requiring controllers, processors, associations or other bodies representing categories of controllers or processors to designate a data protection officer. Regulations may apply to—
- one or more than one class of controller,
- one or more than one class of processor, or
- one or more than one class of association or other body representing categories of controllers or processors.
In making regulations, the Minister shall have regard to the need for the protection of individuals with regard to the processing of their personal data. Without prejudice to the generality of the foregoing, he must have regard in particular to—
- the nature, scope, context and purposes of the processing,
- risks arising for the rights and freedoms of individuals,
- the likelihood and the severity of such risk for the individuals concerned, and
- the costs of implementation of any requirement if it were imposed.
Appointed Representative in European Union for Non-EU Controllers and Processors
Where a data controller outside the EU providing services or monitoring behaviour within the EU is involved, the controller or processor must designate in writing or representative within the EU. The obligation does not apply to processing which is occasional, does not include on a large-scale processing of sensitive personal data or processing of personal data relating to criminal offences and convictions and is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, scope and purposes of the processing. It does not apply to a public body.
The representative must be established within one of the EU states where the data subjects whose personal data is processed in relation to the offering of goods or services to them or whose behaviour is monitored, are situate.
The representative must be mandated by the controller or processor to be addressed in addition to or instead of the controller or processor by in particular the supervisory bodies and persons the subject of the data on all issues related to processing for the purpose of ensuring compliance with the GDPR. This does not limit any legal action or rights against the data controller or processor themselves.
Requirements regarding Processors and Processing
When processing is to be carried out on behalf of a controller, the controller must use only processors who provide sufficient guarantees to implement appropriate technical or organisational measures in such a manner that the processing will meet the requirements of the regulation and ensure the protection of the rights of the persons the subject of the data.
The data processor must not engage another processor without prior specific or general written authorisation of the data controller. In the case of a general written authorisation, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors thereby giving the controller the opportunity to object to the change.
The processor and any person acting under the authority of the controller or the processor who has access to the personal data must not process the data, except on instructions from the controller unless required by EU or national law.
If the processor infringes the GDPR by determining the purposes and means of processing, the processor is deemed the controller in respect of that processing.
Requirement for Processor’s Contract I
Processing by a processor must be governed by a contract or other legal act in accordance with EU law or the law of the member state. It is to set out the subject matter, the duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject and the obligations and rights of the controller. It is to be legally binding.
Adherence by a processor to an approved code of conduct or an approved certification measure may be used as an element by which it demonstrates that sufficient guarantees are in place.
The EU Commission may lay down standard contractual clauses for these matters. The contract or other legal act must be in writing including in electronic form.
The relevant contract or legal act must stipulate in particular that the processor processes the personal data only on documented instructions from the controller (including regarding transfer of personal data to third countries) and that in such case, it shall inform the controller of that legal requirement before processing, unless that law prohibits the information on important grounds of public interest.
The contract must ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Requirement for the Processor’s Contract II
The contract must take all the required measures mentioned below in relation to the security of processing. It must comply with the below measures for engaging another processor. It must, taking account the nature of the processing, assist the controller by appropriate technical and organisational means and so far, as possible for the fulfilment of its obligation in relation to requests for the exercise by the persons concerned, of their data protection rights.
The contract or legal act must assist the controller in ensuring compliance with its obligations in relation to below-mentioned matters (security, notification of breach, impact assessment, prior consultation, taking into account the nature of the processing and the information available to the processor.
The agreement must at the choice of the controller provide for deletion or return of all personal data to the controller after the end of the provision of services relating to the processing and deleting existing copies unless EU or domestic law requires retention and storage of the data. In this respect, the processor shall immediately inform the controller, if in its opinion an instruction infringes EU or national data protection law provisions.
Processor and Other Processors
When a processor engages another processor to carry out specific processing activities on behalf of the controller, the same obligations as set out in the contract between the controller and processor (as referred to above), must be imposed on that other processor by contract or legal act.
In particular, it must provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the regulation. Where that other processor fails to meet its data protection obligations, the first processor remains liable to the controller for the performance of that other processor’s obligations
Records Required I
Each controller and where applicable the controller’s representative, must maintain a record of processing activities under its responsibility. The record is to contain all of the following information.
- the name and contact details of the controller and where applicable the joint controller’s representative and data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or international organisation including identification and where applicable, the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to below.
Records Required II
Each processor and, where applicable, its representative, must maintain a record of all categories of processing activities carried out on behalf of a controller. It shall contain:
- the name and contact details of each controller on behalf of which it acts, and where applicable, their representative and data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or international organisation, including the identity of that country or organisation and, where applicable, the documentation of suitable safeguards;
- where possible, a general description of the technical and organisational security measures referred to below.
The records shall be in writing, including in electronic form.
The controller and processor and, where applicable, their representative shall make the record available to the supervisory authority on request.
Exemptions for SMEs
The records obligations do not apply to an organisation or enterprise employing fewer than 250 people unless the processing it carries out is likely to result in a risk for the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data, sensitive data or personal data relating to personal convictions or offences.
The controller and processor and where applicable, their representatives must cooperate on request with the supervisory authority in the performance of its functions.
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988
Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988
Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988
Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988
Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989
Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989
Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989
Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993
Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993
Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007
Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009
Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011
Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012
Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013
Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014
Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015
Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016
Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016
Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016
Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003
Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007
Data Protection (Amendment) Act 2003 (Commencement) Order 2014
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
EU and UK Texts
Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018
Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed
Rosemary Jay 2018
Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed
Patrick Birkinshaw, Mike Varney 2018
Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018
A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018
Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018
Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018
Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018
The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018
The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018
The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018
A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018
EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018
New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017
Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017
Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017
The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017
Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by: Wolf J. Schunemann, Max-Otto Baumann 2017
Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017
Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016
Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016
Data Protection: The New Rules Ian Long 2016
A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016
The Foundations of EU Data Protection Law Orla Lynskey 2015
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015
Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008