Data Protection Act 

2003 & 2018 

 
 

 
 
 
 
 
Emilia Connolly 
 

Both the Data Protection Act 2003 and that of 2018 aim to protect an individuals privacy. These
acts give rights to people in relation to their personal data as well as making the responsibilities
of those holding and processing it very clear. Personal data is any information that relates to an
identified or identifiable living individual, for example:

○ a name and surname

○ a home address
○ an email address
○ location data (for example the location data function on a mobile phone)
○ an Internet Protocol (IP) address
○ a cookie ID
○ the advertising identifier of your phone
○ data held by a hospital or doctor, which could be a symbol that uniquely identifies a
person.

They provide protection against unwanted or harmful use of such data.

What does the Data Protection Act 2003 state?

Within the Data Protection Act 2003 there is eight rules which govern the processing of personal
data.

1. Obtain and process the information fairly

2. Keep it only for one or more specified and lawful purposes
3. Process it only in ways compatible with the purposes for which it was given to you
4. initially
5. Keep it safe and secure
6. Keep it accurate and up-to-date
7. Ensure that it is adequate, relevant and not excessive
8. Retain it no longer than is necessary for the specified purpose or purposes
9. Give a copy of his/her personal data to any individual, on request.

This data can be held on computers or manual files. In order to comply with these rules, the
following procedures must be observed at all times.
In relation to rules 1, 2 and 6 ) Obtain personal data only when there is a clear purpose for doing
so, obtain only that which is necessary for fulfilling that purpose and ensure that it is used only
for that purpose.

In relation to rule 3 ) Do not disclose any personal data to any third party without the consent of
the data subject.

In relation to rule 4 ) The Department must protect personal data from unauthorised access when
in use and in storage and must protect it from inadvertent destruction, amendment, loss,
disclosure, corruption or unlawful processing.

In relation to rule 5 ) Data subjects have a responsibility to advise the Department of any errors
or changes to data. Once informed, it is imperative that the data be amended accordingly.

In relation to rule 7 ) Data should not be kept for any longer than is necessary for the purpose for
which it was collected.

In relation to rule 8 ) The DP Acts provide for the right of access by the data subject to his or her
personal information

Why was the Data Protection Act 2003 updated?

On the 25th of May 2018, the GDPR was brought into legislation. The GDPR is the General
Data Protection Agency. The EU GDPR is more than the Data Protection Act as it is a regulation
and not a directive. A regulation is effectively a law not a set of minimum requirements which is
essentially what the Data Protection Act was. The EU GDPR took many years to write and had
thousands of amendments due to jurisdictional requirements or small issues but it is now in
effect. Anybody who holds data on an EU citizen must comply with this regulation. If you have
data on an EU citizen then this regulation applies to you. It was updated due to the boom in
social media accounts and digital information. ​2003 was well before the internet became the
online business hub that it is today. Consequently, the directive is outdated and does not address
many ways in which data is stored, collected and transferred today.

Why is it important to protect stakeholders data?

The public concern over data privacy grows with every data breach. According to the RSA Data
Privacy & Security Report, for which RSA surveyed 7,500 consumers in France, Germany, Italy,
the UK and the U.S, 80 percent of consumers said lost banking and financial data is a top
concern. Lost security information (e.g. passwords) and identity information (e.g. passports or
driving license) was cited as a concern of 76 percent of the respondents.
An alarming statistic for companies that deal with consumer data is the 62 percent of the
respondents to the RSA report who say they would blame the company for their lost data in the
event of a breach, not the hacker. The report’s authors concluded that, “As consumers become
better informed, they expect more transparency and responsiveness from the stewards of their
data.”

Lack of trust in how companies treat their personal information has led some consumers to take
their own countermeasures. According to the report, 41 percent of the respondents said they
intentionally falsify data when signing up for services online. Security concerns, a wish to avoid
unwanted marketing, or the risk of having their data resold were among their top concerns. For
this reason, it is a top priority to businesses to make sure that consumers know that their data is
protected and that the GDPR rules are being followed.

How is it enforced?

The Data Protection Commission is the national independent authority responsible for upholding
the fundamental right of individuals in the EU to have their personal data protected. The DPC is
the Irish supervisory authority for the General Data Protection Regulation, and also has functions
and powers related to other important regulatory frameworks including the Irish ePrivacy
Regulations and the EU Directive known as the Law Enforcement Directive.​The Data Protection
Commission will:

● Monitor the enforce the application of the GDPR

● Promote public awareness of the rules and rights around data processing
● Advise the Government on data protection issues
● Promote awareness among controllers and processors of their obligations
● Provide information to individuals about their data protection rights
● Maintain a list of processing operations requiring data protection impact assessment

The Data Protection Commission has the power to order any controller or processor to provide
information that the authority requires to assess compliance with the Regulation. It may carry out
investigations of controllers and processors in the form of data audits, including accessing the
premises of a controller or processor. It authority can order a controller or processor to change
their processes, comply with data subject requests. The Data Protection Commission can also
issue warnings to controllers and processors and can ban processing as well as commence legal
proceedings against a controller or processor.

The GDPR has introduced a new European data protection supervisory authority, the European
Data Protection Board. The EDPB is responsible for ensuring that the GDPR is applied
consistently across the European Union. It will issue guidelines and recommendations on the
application of the Regulation. It will also advise the EU Commission on the application of the
Regulation and any updates that may be required.

Penalties

For the most serious infringements (for example, not having sufficient customer consent to
process data or violating the core of privacy by design concepts) organisations can be fined up to
4% of their annual global turnover or €20 million, whichever is greater.

Each member state may introduce further fines legislation, which will be enforceable within that
state only.

Under the GDPR, organisations in breach of the Regulation can be fined up to 2% of their annual
global turnover or €10 million, whichever is greater, for lesser breaches. Some examples of
lesser breaches include: not having records in order, not notifying the supervisory authority and
data subject about a breach or not an conducting impact assessment.

An example of a GDPR breach:

Only recently, worldwide company Google was found to be in breach of new GDPR legislation
in France. They were fined 50 million euro just one day before they moved their headquarters
from the US to Ireland. Doing this would have ​made Google Ireland Limited the “data
controller” legally responsible for EEA and Swiss users’ information.

It was found that Google is not GDPR-compliant for two reasons: 1) data processing for new
Android users appears to happen outside Europe without consent and 2) data processing
permissions intended to help personalise ads are not transparent enough for users. (The original
complaint focussed on the notion of “​forced consent​“).

Google also by default ticks a box that says “I agree to the processing of my information as
described above and further explained in the Privacy Policy” when a user creates a new account
on their smartphone, without clearly specifying that this is for personalised ads not just on
Android but across Youtube also.

“The general architecture of the information chosen by the company does not respect the
obligations of the Regulation. Essential information, such as the purposes for which the data is
processed, the length of time the data is stored, or the categories of data used to personalise the
advertisement, are excessively scattered throughout several documents, which include buttons
and links that it is necessary to activate to read additional information” CNIL said in a French
language statement.

Google said it is studying the statement.

It added: “People expect high standards of transparency and control from us. We’re deeply
committed to meeting those expectations and the consent requirements of the GDPR.”

Varonis​‘s Matt Lock in an emailed comment described the fine as likely to “quickly dispel any
lingering doubts that the EU would go easy on companies found in violation of the GDPR. The
news should be hitting companies like a cold shower.”

“It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause
and seek to uphold major global companies as examples of lax privacy controls. The news
should serve as an impetus to organisations that have yet to prioritise their GDPR compliance
programs and hoped to simply fly under the radar– their luck may be running out soon.”