Retailers hold many forms of personal data that is subject to the Data Protection Acts. In addition the standard requirements for good practice in the management of personal data to act lawfully, particular consideration may be given to Surveillance recording, direct marketing lists, customer information, and in the case of high ticket value sales AML and anti fraud data. Particular care also needs to be taken regarding information relating to underage persons.
The key considerations to ensuring compliance and minimising your exposure to risk in retail are typically;
- Documentation of your data and processes in line with Article 30 of GDPR
- Sound consent and contractual arrangements and safeguards relating to data subjects
- Avoidance of breaches, and in particular IT breaches
- A qualified judgement regarding the requirement for an impact assessment or requirement for a Data Protection Officer
- Preparation for a breach or access request event
first can take you through a structured process to ensure that you are managing your personal data in accordance with regulation and in the context of the scale and nature of your business. We can help you to implement safeguards that will minimise negative exposure to your business.
Not for profit organisations are subject to the Acts in the same manner as other organisations with certain exemptions relating to the sensitive data. Data protection attention in this sector typically relates to the obtaining of subject data, security, fund raising activities, the use of personal data in social media, and where the organisation has a premises that is open to the public, the use of cctv.
Organisations in this sector often cater for children or other vulnerable persons, and additional care is required to ensure that their particular rights are protected. It is essential to implement sufficient safeguards to demonstrate good practice.
first provide an in-depth assessment and risk evaluation of the essential process to deliver a data protection plan that is consistent with the nature and scale of the organisation. The objective is to deliver a practical roadmap to avoid adverse events, with particular regard to the significance of reputational damage in this sector.
Commercial & Industrial
The requirements of commercial or industrial organisations vary significantly depending on the scale and nature of the organisation, and the category of data. The PD issues relating to retail, online or professional services aspects or your business are covered elsewhere, and additional consideration is often given to;
- Scale of operation. Is an impact assessment or a data protection officer required
- International transfer of data
- Location or fleet surveillance
- Contractual arrangements with suppliers
- Industry specific regulation
first will provide you with a plan that is appropriate for the scale and scope of your organisation to remain compliant and minimise your exposure to financial or reputational damage.
The nature of professional services often necessitates the capturing of personal data relating to subjects. This data is currently covered by an array of law and regulation, however from May 25th 2018 state bodies require a law to legitimise their activity. Not all requirements are currently covered by law, many are simply regulation. From a legal perspective, the rights of the subject under GDPR will trump those of regulation, and it may take some time to normalise practices. This may cause an amount of uncertainty in the short term and may affect the advice provided to clients.
Besides the normal DP considerations relating to clients, employees, direct marketing, surveillance, social media, e-commerce and international transfer, and the importance of IT integrity and subcontractor contracts, particular attention may to be focused on;
- Comprehensive and manageable retention policies (that may evolve over the coming years)
- The significance of legal proceedings on Access Requests
- Understanding of the basics of Data Protection while strategising with clients
- Managing AML, Revenue, and other government agency requirements
first can support you in a manner consistent with your own skills and circumstances to minimise risk and ensure compliance and can also assist you with planning or Data Protection events relating to your clients.
Medical and care environments carry a higher burden of personal data due to the nature of the services provided. In addition to the attention required for the lawful obtaining and processing of data in general, and the additional compliance monitoring and reporting obligations, there are four areas of particular interest in this sector;
- The management of sensitive data
- The new ability for highly distressed subjects to take punitive action (without the need to prove material damage)
- The use of mass surveillance in an area open to the public.
- Managing Access Requests within statutory timelines
While these items are not necessarily the most consuming aspects of Data Protections, they are the areas that are often most likely to result in financial or reputational harm.
first can work with you and your Data Protection Officer to ensure that due consideration has been taken in the management of contracts, processes, IT security, adverse event management and training. We can also provide data protection impact assessments, a comprehensive risk based analysis of Data Protection, recommendations on best practice in the mitigation of risk to the organisation, strategic decision making and hands on support as required.