To view the articles click title or click on
means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext.
Where consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4). Consent for children must be given by the child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
The term cryptography dates back to the 19th century – it originated in The Gold-Bug, a novel by Edgar Allan Poe. In modern times, cryptography referres almost exclusively to encryption, which is the process of converting ordinary information (plaintext) into unintelligible text ( ciphertext). Decryption is the reverse, ie, moving from the unintelligible ciphertext back to plaintext. A cipher (or cypher) is a pair of algorithms that create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a “key”. The key is a secret (known only to the communicants), usually a short string of characters, which is needed to decrypt the ciphertext. Formally, a “cryptosystem” is the ordered list of elements of finite possible plaintexts, finite possible cyphertexts, finite possible keys, and the encryption and decryption algorithms which correspond to each key. Keys are important both formally and in actual practice, as ciphers without variable keys can be trivially broken with only the knowledge of the cipher used and are therefore useless for most purposes. Historically, ciphers were often used directly for encryption or decryption without additional procedures such as authentication or integrity checks. There are two kinds of cryptosystems: symmetric and asymmetric. In symmetric systems the same key (the secret key) is used to encrypt and decrypt a message. Data manipulation in symmetric systems is faster than asymmetric systems as they generally use shorter key lengths. Asymmetric systems use a public key to encrypt a message and a private key to decrypt it. Use of asymmetric systems enhances the security of communication.Examples of asymmetric systems include RSA (Rivest-Shamir-Adleman), and ECC (Elliptic Curve Cryptography). Symmetric models include the commonly used AES (Advanced Encryption Standard) which replaced the older DES (Data Encryption Standard).
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats associated with organised crime, political activist or national governmentsto careless disposal of used computer equipment or data storage media.
Definition: “A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.” Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data – files, documents, and sensitive information.
Data controllers and data processors are now subject to a (GDPR)general personal data breach notification regime.
• Data processors must report personal data breaches to data controllers.
• Data controllers must report personal data breaches to their supervisory authority and in some cases, affected data subjects, in each case following specific GDPR provisions.
• Data controllers must maintain an internal breach register.
• Non-compliance can lead to an administrative fine up to €10,000,000 or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
• As things stand, the specific breach notification regime for communications service providers, set out in Commission Regulation 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC, still applies.
means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
Article 20 of the General Data Protection Regulation (GDPR) introduces a new right of data portability. This right allows for data subjects to receive the personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance. This right, which applies subject to certain conditions, supports user choice, user control and user empowerment.
Individuals making use of their right of access under the Data Protection Directive 95/46/EC were constrained by the format chosen by the data controller when providing the requested information. The new right to data portability aims to empower data subjects regarding their own personal data, as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another.
By affirming individuals’ personal rights and control over the personal data concerning them, data portability also represents an opportunity to “re-balance” the relationship between data subjects and data controllers1.
Whilst the right to personal data portability may also enhance competition between services (by facilitating service switching), the GDPR is regulating personal data and not competition. In particular, article 20 does not limit portable data to those which are necessary or useful for switching services.
Although data portability is a new right, other types of portability already exist or are being discussed in other areas of legislation (e.g. in the contexts of contract termination, communication services roaming and trans-border access to services). Some synergies and even benefits to individuals may emerge between the different types of portability if they are provided in a combined approach, even though analogies should be treated cautiously.
Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, or where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation.
The DPO is similar but not the same as a Compliance Officer as they are also expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data. The skill set required stretches beyond understanding legal compliance with data protection laws and regulations.
The appointment of a DPO within a large organisation will be a challenge for the Board as well as for the individual concerned. There are myriad governance and human factor issues that organisation s and companies will need to address given the scope and nature of the appointment. In addition, the post holder will need to create their own support team and will also be responsible for their own continuing professional development as they need to be independent of the organisation that employs them, effectively as a “mini-regulator”.
Data Protection Officers (DPO’s) will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR.
Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that – as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale. Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis.
(a) is being processed by means of equipment operating automatically in response to instructions given for that Purpose, or
(b) is recorded with the intention that it should should be processed by means of such equipment;
The GDPR Act applies to all data controllers established in Ireland who process personal data in the context of that establishment. . It does not matter whether the personal data relates to non-Irish people, or whether the data controller actually carries on all of its activities outside of Ireland. Once the data controller is established in Ireland and processes personal data in the context of that establishment, then it is subject to Irish data protection law for the personal data processed in the context of that establishment.
However, the term ‘established in Ireland’ requires some clarification.
(i) Individuals normally resident in Ireland
Individuals can be data controllers – e.g. doctors, pharmacists, politicians and lawyers. Where the individual data controller is resident in Ireland, he or she must comply with the provisions of the Data Protection Acts.
(ii) A body incorporated under the law of the State
The bulk of Irish data controllers will fall into this category, which includes companies and other bodies corporate that are incorporated under Irish law. Note that this category includes all companies incorporated in Ireland, including a company that is a wholly-owned subsidiary of an overseas company.
(iii) A partnership or other unincorporated association formed under the law of the State.
This category includes some legal and accountancy firms, medical practices, and voluntary associations.
(iv) A person who does not fall within (i)-(iii) above, but who maintains either
I. an office, branch, or agency in Ireland, through which the person carries on any activity, or
II. a regular practice in Ireland.
Is information which is recorded as part of a relevant filing system or with the intention it should form part of a relevant filing system;
Relevant filing system means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;
Personal data is data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;
Personal Data is any information about or relating to the individual. In this respect, the term “personal data” has a different meaning than the term “personal information”, as used in the Freedom of Information Act, which is restricted to the sort of private, confidential or sensitive information that might only be known to the individual and his or her family.
Disclosure – In relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed.
What is a Data Protection Impact Assessment (DPIA) if your organisation collects stores or uses personal data, the individuals whose data you are processing are exposed to risks? The risks range from personal data being stolen or inadvertently released and used by criminals to impersonate the individual, to worry being caused to individuals that their data will be used by your organisation for unknown purposes.
A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance with the GDPR.Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, data controllers will be required to consult the DPC before engaging in the process. Organisations should now start to assess whether future projects will require a DPIA and,
if the project calls for a DPIA, consider:
• Who will do it?
• Who else needs to be involved?
• Will the process be run centrally or locally?
It has always been good practice to adopt privacy by design as a default approach; privacy by design and the minimisation of data have always been implicit requirements of the data protection principles. However, the GDPR enshrines both the principle of “privacy by design” and the principle of “privacy by default” in law. This means that service settings must be automatically privacy friendly, and requires that the development of services and products takes account of privacy considerations from the outset.
A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
FIPS 140-2 , etc , etc is an acronym for Federal Information Processing Standard, it is the US government’s requirements on methods for securing data or definition of what security mechanisms should do.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. The regulation was adopted on 27 April 2016.
It came into force on 25th May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is directly binding and applicable.
Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
A controlling undertaking and its controlled undertakings;
Hardware Security Module (HSM) is a physical computing device which safeguards and manages digital keys for strong authentication and provides cryptoprocessing. most modules come in the form of a plug-in card or an external device which attaches directly to a computer or network server.
A service as defined in point (b) of Article 1 of Directive (EU) 2015/1535 of the European Parliament and of the Council;
An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
a)as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
(b)as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
PIA’s (Privacy Impact Assessments) PIA’s are also known as DPIA’s (Data Protection Impact Assessments) this is a systematic process to assess privacy risks to individuals in the collection, use, and disclosure of their personal data. Specifically, DC (Data Controllers) must conduct DPIAs where privacy breach risks are high so that the risks to data subjects are minimized.
The GDPR introduced DPIAs as a means to identify high risks to the privacy rights of individuals when processing their personal data. When these risks are identified, the GDPR expects that an organisation formulates measures to address these risks. Those measures may take the form of technical controls such as Encryption, Pseudonymisation, or Anonymisation of data.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
The GDPR refers to Pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of Pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key.
The GDPR requires that this additional information (such as the decryption key) be kept separately from the Pseudonymised data. Pseudonymisation is recommended to reduce the risks to the concerned data subjects and also help controllers and processors to meet their data-protection obligations.
Although the GDPR encourages the use of Pseudonymisation to “reduce risks to the data subjects,” Pseudonymised data is still considered personal data and therefore remains covered by the GDPR.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
An objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
Relevant filing system is any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;
A natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
The marking of stored personal data with the aim of limiting their processing in the future;
Spectre is a vulnerability that affects modern microprocessors that perform branch prediction. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.
An independent public authority which is established by a Member State pursuant to Article 51;
A supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority;
A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;