SME Agony Uncle: GDPR Special with Bobby Kerr and Maurice Muldoon, Business Consultant and GDPR Specialist

Join Bobby on The Hard Shoulder every Tuesday, with thanks to Energia

Each week broadcaster, entrepreneur and agony uncle Bobby Kerr joins The Hard Shoulder to answer all your employment-related questions.

This week's segment is all about GDPR and joining Bobby and Ivan in-studio was Maurice Muldoon, retailer, business consultant and GDPR specialist. 

Bobby kicks things off by explaining that GDPR goes beyond just CCTV and the likes for business owners. Basically, the current data protection obligations will remain in place with additions, come May 25th. In brief, the current obligations are that information should be obtained fairly, used for one or more specific reasons and kept safe and secure. 

What GDPR brings is two new principles around data integrity and accountability. Bobby says this is massively important for businesses - both small and big. We used to have 27 different sets of laws in 27 different countries when it came to privacy in Europe and now we will universal obligations that any business operating in Europe will have to uphold, including the likes of Google and Facebook. 

Why do we need these regulations? 

Maurice Muldoon explains that we have had data and privacy regulations in place in Ireland for many years already. However, the last time Ireland's Data Protection Act was updated, we didn't have Google or Facebook and smartphones hadn't even been invented.

Businesses have moved on from storing your information in filing cabinets to hard drives and now to cloud storage solutions so you have to think about where your data is actually being held. The technical advancements and innovations in recent times have made Europe and the world a much smaller place. 

As a result, it was decided that we needed a collective set of rules around data protection in Europe so people can be aware of how their information is being used and processed and where is it being stored, who has access to it, etc. 

Who do the obligations to adhere to the directive lie with?

It is the responsibility of each individual company to ensure it is in compliance with GDPR regulations. Maurice gives the example of how we need fuel to run cars and the people who make our cars don't also make the fuel. Or how people who deliver you pizza can't bring the food to you unless they get your name, address, phone number, etc. These companies are all collecting some form of data for a variety of different reasons and therefore need to be GDPR compliant. 

GDPR is about personal data so this applies specifically to companies who require personal information from customers or consumers in order to do their work or provide the service that they offer. 

What if a dentist, lawyer or even a radio show has saved your contact details for any reason? It's not secret information so what are their obligations? 

Businesses who fail to adhere to this process of managing data will face being fined up to €20 million or 4% of their turnover. In the past, the highest fine was €500,000 or 1% of your turnover.  

For example, if a company took your data in the past and stored it on their hard drive but then lost your information through a breach or a hack. This wasn't seen as the fault or responsibility of the company. GDPR means that if a company has your information stored, it is their obligation to ensure its safety and if something does happen that your data is leaked or breached in any way, this is then regarded as the responsibility of the company who had a duty of care towards your data. 

So what happens with the multiple companies, like utility providers or memberships, that already have your data? 

As you've probably already noticed, you should receive emails or be contacted by any company or organisation that is holding your data before May 25th to explain what the changes in regulations mean for the data they hold on you and whether or not you would like them to continue to have access to this information. 

Will this require a lot more bureaucracy for SMEs going forward? 

Bobby says that unfortunately, he thinks it will. Bobby also adds that this will mean extra costs for a lot of businesses but GDPR compliance is unavoidable.

In businesses, can employees now access data on themselves, such as HR notes? 

Maurice explained how GDPR works in two ways and therefore individuals have a lot more rights to their own data now and previously outlined in the Data Protection Act. If you like, you can submit a data subject enquiry to your employer or any company and they have 30 days to respond to you. 

What about CCTV? Can anyone walk into a shop now and say they don't want to be recorded by CCTV or request to see what the CCTV cameras in shops have recorded of them?

In a nutshell, individuals have the right to request access to the CCTV footage via the data subject enquiry process but in comparison to other data, CCTV footage of one individual might be much more complex an take longer to locate than say, a form that was filled out. In these instances, businesses can refuse what they deem to be an unreasonable request or apply to extend the 30 day response period to give themselves more time to locate the footage.     

You can listen back to all of Bobby and Maurice's GDPR advice from Tuesday’s The Hard Shoulder here:

If you have a business or SME related query you would like answered - you can get in touch with Bobby each week by simply sending a short mail to agonyuncle@newstalk.com