GDPR is an acronym for “General Data Protection Regulation”, which, is a regulation that has been approved by The European Parliament, European Commission and the Council of the European Union with the aim to strengthen and ultimately unify Data Protection for all persons within the European Union.
The GDPR will apply to personal data. “Personal data” is defined as information regarding to an identifiable natural person, known as the “Data Subject”. Identifiable natural person means a person for who can be identified either directly from information or indirectly from information, particularly by reference to an identification such as ID number, name and/or location data.
Anonymised data will not be covered by the GDPR and is also currently not covered by The Data Protection Acts within Ireland. The familiar Data Protection terminology of “Data Processors” and “Data Controllers” are continued in use within the GDPR.
A Data Controller – means a person that determines the exact purposes and the methodology by which the personal data is and will be processed. The ultimate responsibility for Data Protection Compliance ends with The Data Controller.
Negligence is not an excuse for a Data Controller. For a data controller to process data, they are to be aware of their responsibilities and cannot claim indemnification even if they were advised to conduct certain activates in a certain way from a separate person.
Example; Company X receive personal data during their daily activities and stores that information while in use. Company X then receives advise from Company Y as to the best method to dispose of the said information once no longer required in use. Company X then disposed of the information however, the information is found again and it is found that the method for disposal waste not in compliance. Company X will be fully responsible as the Data Controller and will receive the penalties as the disposal method was not in compliance.
A Data Processor – means a person who processes personal data for a data controller. It is the Data Controller who decides the purpose and manner to be followed during the process, hence they hold responsibility, and, it is the Data Processor who will process the data. Process means, any operation that is conducted upon personal data including but not limited to, collection, storage, consultation, dissemination, erasure and destruction.
Therefore, if a person hires a data processor to conduct a process on their data, it is the ultimate responsibility of the Data Controller to be in compliance. It is the ultimate responsibility of the data controller to be fully aware of the process being conducted and to know that the said process is in full compliance. There is no room for error/guessing.
For further information about our GDPR consulting services and compliance with the GDPR, please contact the team at firstname.lastname@example.org and read our GDPR compliance page.
Any questions or queries regarding our shredding process, please fill out the form and one of our team will get back to you asap
We will then answer any queries that you may have in relation to this confidential destruction system. If you have any further queries, do not hesitate to contact us at any of the provided contact details or using the enquiry form.