# General Data Protection Regulation (GDPR) Notes ## How to use these notes These notes rewrite the rough GDPR mind map into a clean study format. The aim is to preserve every concept from the original material while making the wording easier to understand and revise. The notes are organised section by section: 1. Privacy before GDPR 2. The development of data protection law 3. Key GDPR definitions 4. GDPR principles 5. Scope and applicability 6. Data subject rights 7. Lawful processing 8. Retention and security 9. Regulatory structure and the one-stop shop 10. Records, DPIAs, and privacy by design 11. Controller and processor duties 12. Data Protection Officers 13. Data breaches 14. Accountability and board-level responsibility 15. Encryption and technical protection 16. International transfers 17. Cookies, NIS, and IP addresses 18. Compliance, penalties, audits, and documentation --- # General Data Protection Regulation The General Data Protection Regulation, usually called GDPR, is the major European legal framework governing the collection, use, storage, transfer, and protection of personal data. GDPR is not only about cybersecurity. It is about the rights of individuals and the duties of organisations that handle information about them. It affects how organisations collect consent, explain their use of data, store records, handle breaches, appoint responsible officers, transfer data internationally, and prove that they are complying with the law. A central idea behind GDPR is that personal data belongs to the person it relates to. Organisations may use that data only when they have a lawful basis, and they must be able to explain and justify what they are doing with it. --- # Privacy before GDPR ## The emergence of privacy Modern privacy law did not begin with GDPR. One of the most important early legal discussions of privacy came from the article **The Right to Privacy**, published in the Harvard Law Review in 1890 by Samuel Warren and Louis Brandeis. Their complaint was that newspapers and gossip journalism were intruding too far into private life. They argued that private details were being turned into a commercial product. Personal relationships, domestic life, and private matters were being published to satisfy public curiosity rather than genuine public interest. The main idea of the article was that common law should protect privacy. Warren and Brandeis argued that people should have a legal right to be free from unnecessary intrusion. ## The right to be left alone The article referred to Mr Justice Cooley's earlier idea of a **right to be left alone**. This phrase became one of the most famous ways of describing privacy. The basic meaning is simple: people should have a protected private space where the state, the press, businesses, or other individuals cannot intrude without proper justification. The article used the image of a person's house as a castle. The law already protected the home from physical intrusion. Warren and Brandeis argued that the law should also protect the private life of the person from public curiosity and unwanted exposure. --- # Privacy in Ireland before GDPR Irish privacy law developed through constitutional interpretation, legislation, and court decisions. Privacy is not stated in one single simple sentence in the Irish Constitution, but several constitutional provisions have been used to support privacy rights. ## Constitutional sources of privacy Important constitutional provisions include: | Constitutional provision | Meaning for privacy | |---|---| | Article 40.3 | The State guarantees to respect, defend, and vindicate the personal rights of citizens, as far as practicable. | | Article 41.3.1 | The State promises to guard the institution of marriage and protect it against attack. | | Article 40.5 | The dwelling of every citizen is inviolable and cannot be forcibly entered except in accordance with law. | These provisions helped Irish courts recognise privacy as a personal constitutional right, even though the Constitution does not always use the word "privacy" directly. ## Earlier data protection legislation Before GDPR, Ireland had the **Data Protection Acts 1988 to 2003**. These laws have now been superseded by later data protection law connected to GDPR, but they formed part of the earlier legal background. ## Privacy is not absolute Irish law recognises privacy, but privacy does not always win. It must often be balanced against other rights or public interests. For example, privacy may be limited by: - the common good - criminal investigations - taxation - public inquiries - freedom of expression - the right to life - public morality, historically - the public interest in exposing wrongdoing This is why privacy law often involves balancing one right against another. --- # Important Irish privacy cases ## McGee v Attorney General 1974 **Topic:** Marital privacy. In **McGee v Attorney General**, the Supreme Court recognised marital privacy as an important constitutional right. The case helped establish that privacy could be protected as an unenumerated personal right under the Constitution. The Court stated that privacy was widely recognised in society and that marital privacy was one of the most important areas of privacy. ### Key point This case is important because it helped establish that privacy can exist as a constitutional right even when it is not written explicitly as a single named right. ## Kennedy and Arnold v Ireland 1987 **Topic:** Communications privacy and phone tapping. This case involved phone tapping under section 56 of the Post Office Act 1908. The issue was whether the State had interfered with constitutional rights by tapping communications. The Court held that even though privacy was not specifically guaranteed by the Constitution, it flowed from the Christian and democratic nature of the State. The Court treated privacy as a fundamental personal right. The right to privacy was held to include respect for telephone conversations. ### Key point This case is central for communications privacy. It confirmed that private communications are protected by constitutional privacy rights. ## Haughey v Moriarty 1999 **Topic:** Banking privacy and public inquiries. This case concerned the limits of privacy in the context of investigations and the common good. The Court accepted that the plaintiffs had a constitutional right to privacy, but the question was how far that right extended. The issue was whether privacy extended to banking transactions and whether the common good outweighed that privacy. ### Key point Privacy can include financial information, but it may be overridden by a strong public interest. ## Redmond v Flood 1999 **Topic:** Privacy and public investigations. This case involved a challenge to investigations by the Flood Tribunal. The Court recognised that matters considered by the Oireachtas to be of urgent public importance may need to be investigated in the common good. ### Key point A public inquiry can justify interference with privacy when the matter is sufficiently important. ## Bailey v Flood 2000 **Topic:** Judicial review and privacy limits. In this case, the Supreme Court refused leave for judicial review of the defendant's actions. It is another example of privacy being balanced against investigative powers and public interest. ### Key point Privacy does not automatically block investigations or official inquiries. ## Norris v Attorney General 1984 **Topic:** Individual privacy and public morality. In **Norris v Attorney General**, the Supreme Court refused to recognise absolute individual privacy. The Court held that privacy could yield to the State's interest in maintaining public morals. Later, the State changed its position after European Court of Human Rights developments and enacted the **Criminal Justice Sexual Offences Act 1993**. ### Key point This case shows that privacy law can evolve. What the courts accept at one time may later change because of human rights developments. ## DPP v McCann 1998 **Topic:** Privacy versus the right to life. This case involved GardaĆ­ seeking adoption papers. The Court treated the right to life as more important than privacy in the circumstances. The reasoning was that the State had an obligation to discover why a fundamental constitutional right, the right to life, had been unjustly extinguished. ### Key point Privacy can be overridden where the right to life is at stake. ## National Irish Bank v RTE 1998 **Topic:** Privacy, confidentiality, and freedom of expression. This case involved privacy being balanced against freedom of expression and the public interest in exposing wrongdoing. The Court recognised that there may be a public interest in defeating wrongdoing that outweighs confidentiality. ### Key point Privacy and confidentiality can lose where publication serves a serious public interest. --- # Different people can have different privacy expectations Privacy rights are not identical in every situation. The strength of a privacy claim depends on the person, the context, and the type of information involved. ## Ahearne and Ahearne v RTE 2005 **Topic:** Privacy categories in a nursing home investigation. This case concerned the Leas Cross nursing home. The court considered different categories of people, including nurses, patients, and owners. Each category had a different privacy position because their roles and vulnerability were different. ### Key point Privacy must be analysed by context. A patient, an employee, and a business owner may not have the same expectation of privacy. ## Von Hannover v Germany 2004 **Topic:** Privacy and public figures. This European Court of Human Rights case considered the privacy rights of a public figure. It is relevant because it shows that even famous people can have privacy rights, especially where publication does not contribute to a matter of public debate. ### Key point Public figures do not lose all privacy rights. ## McGrory v ESB 2003 **Topic:** Waiver of privacy in legal claims. The plaintiff sued ESB for personal injuries. Because the plaintiff put his health in issue, ESB was entitled to inquire into his medical condition. ### Key point A person may partly give up privacy in a specific area by making that area relevant to a legal claim. ## Douglas v Hello! 2005 **Topic:** Privacy as property and confidential information. This case involved the sale of rights to wedding photographs. The court focused more on confidential information than a pure right to privacy. ### Key point Some privacy-related disputes may actually be about confidential information, commercial control, or property-like rights. ## Jane O'Keefe v Ryanair 2002 **Topic:** Compromising privacy for compensation. This case is an example of how a person may compromise or give up some privacy when seeking compensation. ### Key point Privacy can be affected by a person's own legal or financial choices. --- # Privacy versus freedom of expression Privacy and freedom of expression are both fundamental rights. They often clash in media cases. The challenge is not simply to say that one right always wins. Courts, editors, journalists, and media lawyers must balance the right to privacy against the public interest in publication. ## The balancing problem A media organisation may argue that it has a right to publish information. A person affected by the publication may argue that the information is private. The court must consider questions such as: - Is the information genuinely private? - Did the person have a reasonable expectation of privacy? - Is there a public interest in publication? - Does the public interest apply to every part of what was published? - Is the information intimate, humiliating, or medically sensitive? - Were photographs obtained secretly? - Does the publication contribute to democratic debate? --- # Campbell v Mirror Group Newspapers 2004 ## Background **Campbell v Mirror Group Newspapers** was an important United Kingdom case after the Human Rights Act 1998. The Daily Mirror discovered that Naomi Campbell, despite publicly denying drug use, was attending Narcotics Anonymous meetings. The newspaper published an article and a photograph. ## Private material identified by the court The court analysed the article carefully. It identified five elements of private material: 1. The fact of Ms Campbell's drug addiction. 2. The fact that she was receiving treatment for addiction. 3. The fact that the treatment was at Narcotics Anonymous. 4. Details of the treatment and her reaction to it. 5. Photographs of her leaving a treatment session, obtained without her knowledge. ## Legal issues Two main issues arose: 1. How far should the law protect private information from unjustified publication? 2. How should that protection be reconciled with freedom of expression? ## Legacy of Campbell The case does not mean newspapers can never publish stories about politicians, celebrities, or public figures. It does mean that publication decisions must be more rigorous. A careful approach should ask: 1. Does the publication contain material where there is a reasonable expectation of privacy? 2. If yes, is there a public interest defence? 3. Does the public interest apply to each private element of the publication? 4. How private is the information? 5. What type of speech is involved? 6. Does the information have political or democratic value? 7. Should photographs be considered separately? ## Special treatment of photographs Photographs can be especially intrusive. If photographs show humiliation, embarrassment, medical vulnerability, or private treatment, publication will be harder to justify. This is even more serious where photographs were obtained secretly or without consent. ### Key point Campbell shows that privacy analysis is detailed. A court may approve some parts of a publication but reject other parts. --- # Genesis of data protection ## Data protection is a modern idea Data protection is much newer than the general idea of privacy. Privacy existed long before computers. Data protection became urgent because of digital records and electronic databases. Before modern data protection law, information protection was often driven by professional ethics rather than legal rules. Doctors, lawyers, accountants, and other professionals had duties of confidentiality. ## Why digital records changed the problem Paper records are limited. They are harder to copy, search, combine, transfer, and analyse at scale. Electronic records created new risks because personal information could be: - stored in huge databases - copied instantly - searched quickly - combined with other data - analysed automatically - transferred across borders - leaked at scale - used for profiling This made privacy risks more powerful and more varied. --- # European development of data protection The European development of data protection can be understood as a timeline. | Year | Development | Importance | |---|---|---| | 1953 | European Convention on Human Rights, Article 8 | Protected respect for private and family life, home, and correspondence. | | 1981 | Council of Europe data protection convention | Created an early international data protection framework. | | 1995 | Data Protection Directive | Harmonised data protection law across the EU through national implementation. | | 2018 | General Data Protection Regulation | Created a directly applicable EU regulation with stronger rights, duties, and penalties. | ## Article 8 ECHR Article 8 of the European Convention on Human Rights protects the right to respect for private and family life, home, and correspondence. This is not exactly the same as GDPR, but it is part of the human rights background to European privacy and data protection law. ## From directive to regulation The 1995 Data Protection Directive required Member States to create national laws. This meant there could be differences between countries. GDPR is a regulation, meaning it applies directly across the EU. It was designed to create a more consistent system. --- # Key GDPR definitions GDPR uses specific terms. These definitions matter because legal duties depend on them. ## Data controller A **data controller** is the natural or legal person, public authority, agency, or other body that decides the purposes and means of processing personal data. In simple terms, the controller decides: - why personal data is processed - how personal data is processed ### Example A college that collects student records decides what information is needed, why it is needed, and how it will be used. The college is likely to be the data controller. ## Data processor A **data processor** is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. In simple terms, the processor acts for the controller. ### Example A cloud storage company storing student records for a college may be a processor if it acts under the college's instructions. ## Data subject A **data subject** is an identified or identifiable natural person. Important points: - A data subject must be a person. - A company cannot be a data subject. - There is no restriction based on nationality. - There is no restriction based on place of residence. - A person can be identifiable directly or indirectly. ### Example A student, employee, patient, customer, or website user can be a data subject. ## Personal data **Personal data** means any information relating to an identified or identifiable natural person. A person may be identified directly or indirectly by information such as: - name - identification number - location data - online identifier - physical identity - physiological identity - genetic identity - mental identity - economic identity - cultural identity - social identity ### Simple rule If information can be linked to a living person, it may be personal data. ## Biometric data **Biometric data** is data produced from processing a person's physical, physiological, or behavioural characteristics in order to uniquely identify that person. Examples include: - facial images used for recognition - fingerprint data - iris scans - voice recognition patterns - behavioural recognition patterns, where used for identification ## Genetic data **Genetic data** is data relating to inherited or acquired genetic characteristics that give unique information about a person's physiology or health. This often comes from analysis of a biological sample. ### Example DNA test data can be genetic data. ## Consent **Consent** means a freely given, specific, informed, and unambiguous indication of the data subject's wishes. Consent must be shown by: - a statement, or - a clear affirmative action It must show agreement to the processing of personal data. ### Key point Silence, inactivity, and pre-ticked boxes are not valid consent. ## Binding corporate rules **Binding corporate rules**, or BCRs, are internal rules followed by organisations within the same corporate group for transferring personal data internationally. They are used for transfers within a group of undertakings involved in joint economic activity. ### Key point BCRs are one method of making international data transfers lawful. ## Cross-border processing **Cross-border processing** can mean either: 1. Processing carried out through establishments in more than one EU Member State. 2. Processing carried out by a single EU controller or processor that substantially affects data subjects in more than one Member State. ### Example A company based in Ireland that processes customer data affecting people in Ireland, France, and Germany may be involved in cross-border processing. ## Data concerning health **Data concerning health** is data related to a person's physical or mental health. It includes data connected to healthcare services where the data reveals information about health status. ### Example Medical records, diagnosis information, treatment records, and mental health information can all be health data. ## Filing system A **filing system** is any structured set of personal data that is accessible according to specific criteria. It may be: - centralised - decentralised - dispersed functionally - dispersed geographically ### Key point GDPR can apply even where data is not in one single database, as long as it is structured and searchable by criteria. ## Main establishment The **main establishment** is important for deciding which supervisory authority is the lead authority. For a controller with establishments in more than one Member State, the main establishment is usually the place of central administration in the EU. However, if decisions about the purposes and means of processing are made in another EU establishment, and that establishment has power to implement those decisions, that place may be the main establishment. For a processor, the main establishment is usually its central administration in the EU. If it has no central administration in the EU, the main establishment is the EU establishment where the main processing activities take place, to the extent that the processor is subject to GDPR obligations. ## Data breach A **personal data breach** is a breach of security leading to accidental or unlawful: - destruction - loss - alteration - unauthorised disclosure - unauthorised access This applies to personal data that is transmitted, stored, or otherwise processed. ## Processing **Processing** means any operation performed on personal data or sets of personal data. It includes: - collection - recording - organisation - structuring - storage - adaptation - alteration - retrieval - consultation - use - disclosure by transmission - dissemination - making available - alignment - combination - restriction - erasure - destruction ### Key point Processing is extremely broad. Almost anything an organisation does with personal data is processing. ## Profiling **Profiling** means automated processing of personal data to evaluate personal aspects of a natural person. It may be used to analyse or predict: - work performance - economic situation - health - personal preferences - interests - reliability - behaviour - location - movements ### Example A system that uses spending behaviour to predict whether a person is financially reliable may involve profiling. ## Pseudonymisation **Pseudonymisation** means processing personal data so that it can no longer be attributed to a specific data subject without additional information. The additional information must be: - kept separately - protected by technical and organisational measures - controlled so that the data cannot easily be linked back to the person ### Important distinction Pseudonymised data is not the same as anonymous data. If the person can still be identified using additional information, GDPR can still apply. ## Representative A **representative** is a person established in the EU who is designated by a controller or processor to represent them regarding GDPR obligations. This is especially relevant for organisations outside the EU that fall within GDPR's reach. ## Supervisory authority A **supervisory authority** is an independent public authority established by a Member State under Article 51 GDPR. In Ireland, the relevant authority is the Data Protection Commission. A supervisory authority is also commonly called a DPA, meaning Data Protection Authority. --- # GDPR principles under Article 5.1 Article 5.1 GDPR sets out the core principles for processing personal data. These principles are the foundation of GDPR compliance. Personal data must be: 1. processed lawfully, fairly, and transparently 2. collected for specified, explicit, and legitimate purposes 3. adequate, relevant, and limited to what is necessary 4. accurate and kept up to date 5. kept in identifiable form only as long as necessary 6. processed securely ## Lawfulness, fairness, and transparency Personal data must be processed legally and in a way that is fair to the data subject. Transparency means the data subject should understand: - what data is being collected - why it is being collected - how it will be used - who it may be shared with - how long it may be kept - what rights the data subject has ## Purpose limitation Personal data may only be collected for specified, explicit, and legitimate purposes. This means an organisation should not collect data for one reason and then use it later for a completely unrelated reason without a valid legal basis. ### Example If a company collects an email address to send a receipt, it cannot automatically use that email address for marketing unless it has a lawful basis to do so. ## Data minimisation Personal data must be adequate, relevant, and limited to what is necessary. This means organisations should collect only the personal data they actually need. ### Example A shop may need a delivery address to send an item. It usually does not need the customer's date of birth for a basic delivery. ## Accuracy Personal data must be accurate and kept up to date. If inaccurate personal data could harm a person, the organisation must take reasonable steps to correct or erase it. ## Storage limitation Personal data should be kept in a form that identifies the data subject only for as long as necessary. This means organisations need retention periods. They should not keep personal data forever unless there is a valid reason. ## Integrity and confidentiality Personal data must be processed securely. This includes protection against: - unauthorised access - unlawful processing - accidental loss - destruction - damage Security should involve appropriate technical and organisational measures. --- # Applicability and scope of GDPR GDPR has extensive reach. It can apply to organisations inside and outside the EU. ## Organisations inside and outside the EU GDPR applies to organisations established in the EU. It can also apply to organisations outside the EU where their processing activities relate to individuals in the EU. The original notes describe this as applying to organisations within and outside the EU and creating liability in the event of a data breach. ## Protection of natural persons GDPR protects information relating to natural persons, whatever their nationality or place of residence. This means GDPR protection is not limited only to EU citizens. The focus is on the processing activity and the relationship to EU law, not simply citizenship. ## Identified or identifiable persons Personal data is information relating to an identified or identifiable person. A person may be identifiable directly or indirectly through: - name - identification number - location data - online identifier - physical characteristics - physiological characteristics - genetic characteristics - mental characteristics - economic characteristics - cultural characteristics - social characteristics ## Impact on anonymised data The broad definition of identifiable characteristics creates a problem for organisations that distribute anonymised data. Data that looks anonymous may still be personal data if it can be linked back to a person directly or indirectly. ### Key point Organisations must carefully assess whether anonymised data can be re-identified. If re-identification is possible, GDPR may still apply. --- # Data subjects' rights GDPR strengthens the rights of data subjects. These rights must be balanced against the free flow of data used to support economic activity. The original material stresses that organisations must understand: - what data they collect - how they use it - what legal basis they rely on - what they can and cannot do without specific consent Data subjects can also seek judicial remedies against controllers and processors. They may claim compensation for damage caused by GDPR breaches. This gives controllers a strong interest in ensuring that processors protect any personal data passed to them. --- # Consent under GDPR Consent is one possible lawful basis for processing personal data, but it must meet strict conditions. ## Consent must be clear Consent must be: - freely given - specific - informed - unambiguous There must be a clear affirmative act. ### Not valid consent The following are not valid consent: - silence - pre-ticked boxes - inactivity - vague consent hidden in unclear terms ## Consent for each processing activity Processing cannot proceed unless the data subject has consented to the relevant processing activity. If an organisation wants to use data for multiple purposes, it may need separate consent or another lawful basis for each purpose. ## Consent and children For children under 16, organisations may need consent from the holder of parental responsibility. The exact age threshold may vary depending on Member State rules, but the source material emphasises the under-16 position. ## How consent can be collected Consent can be collected through a tick box, but the request must be clear and simple. The consent request should be: - clear - concise - written in simple terms - not unnecessarily disruptive to the use of the service ## Withdrawal of consent A data subject can withdraw consent. The controller must provide a method that is as easy for withdrawal as it was for giving consent. ### Example If a user can consent by clicking one button, they should not have to write a letter or call a phone line to withdraw consent. --- # Right to be forgotten The **right to be forgotten** is the right to have personal data erased in certain circumstances. ## When erasure may be required Data may need to be erased where: - the data is no longer necessary - the data subject withdraws consent - there is no other lawful basis for processing - the data has been unlawfully processed - erasure is required by law The original notes emphasise that erasure must occur if the data subject withdraws consent for all processing for which the data is held. ## Public data and reasonable steps If the data has been made public, the controller may need to take reasonable steps to erase it or notify others who are processing it. This can include data in: - news articles - public databases - online records - search results - shared systems The Data Protection Authority will want to see that appropriate technical and procedural measures were used. ### Key point Erasure is not only about deleting a local file. It may require a wider process to address copies and public availability. --- # Data portability The right to **data portability** allows data subjects to receive their personal data in a usable format. ## What the data subject can request A data subject can request: 1. a copy of personal data held about them 2. transmission of that data to another controller, where technically feasible ## Required format The data must be provided in a: - structured - commonly used - machine-readable format ## Practical example Banks may already have systems and contacts that allow transfer of customer data between institutions. These existing channels can help support data portability. ### Key point Data portability is about giving individuals control and helping them move between service providers. --- # Lawful processing under Article 6 Article 6 GDPR explains when processing is lawful. Processing is lawful if at least one lawful basis applies. The source material highlights two broad categories: 1. the data subject has given consent 2. processing is necessary for certain tasks Many lawful bases require consideration of the data subject's interests. ## Legitimate interests Processing may be lawful where it is necessary for the legitimate interests of the controller or a third party. However, this does not apply if those interests are overridden by the interests, fundamental rights, and freedoms of the data subject. This is especially important where the data subject is a child. ### Meaning Legitimate interests can make reasonable processing lawful where it supports an organisation's interests. But the organisation must check that it does not unfairly harm the data subject. ## Public interest and official authority Processing can also be lawful where it is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller. This is especially relevant for public bodies or organisations carrying out official functions. ## Processing without consent If an organisation processes personal data without consent, it must clearly show another lawful basis. The original notes state that in many cases it may be simpler and safer to secure consent. However, in proper GDPR analysis, organisations should choose the lawful basis that genuinely fits the processing. ## Limited purposes and minimal extent Personal data can only be processed for limited purposes and to a minimal extent. This links directly to transparency because the data subject must understand the nature of the processing. The organisation must be able to explain: - the purpose of processing - why the data is needed - why less data would not be enough - how long the data will be kept - who will receive it --- # Special categories of data GDPR places stricter limits on special categories of personal data. The original notes list examples such as: - ethnicity - sexual orientation - health data Processing these categories is generally forbidden unless a specific exception applies. ## Examples of special category data Special category data may include: - racial or ethnic origin - political opinions - religious or philosophical beliefs - trade union membership - genetic data - biometric data used for identification - health data - sex life - sexual orientation ## Why special category data is treated differently This data is sensitive because misuse could cause serious harm, discrimination, exclusion, embarrassment, or loss of rights. ### Key point Special category data requires stronger justification and stronger safeguards. --- # Retention of data GDPR requires organisations to think carefully about how long they keep personal data. ## Link to the right to be forgotten The right to be forgotten means controllers may need to erase data when continued retention is no longer lawful. ## Limited retention periods Data can only be retained for limited periods, and those periods should usually be clear to the data subject at the time of consent or collection. ### Example A privacy notice should explain how long records will be kept or how the retention period will be decided. ## No single hard rule There is no one retention period for all data. Some data may be kept for a long time or even effectively indefinitely where there is a lawful reason. Public bodies may keep certain records for governmental, archival, legal, or public interest purposes. ## Security during retention While data is retained, its confidentiality and integrity must be protected. This includes protection against: - accidental loss - destruction - damage - unauthorised access - unauthorised disclosure Because breach reporting is compulsory in many situations, secure retention is a high priority for every organisation. --- # The one-stop shop GDPR was intended to operate as a single data protection scheme across the EU. ## Purpose of the one-stop shop The one-stop shop aims to: - support the EU common market - support the free flow of information - reduce bureaucracy - avoid organisations dealing separately with many different authorities - create consistency in cross-border data protection enforcement ## European Data Protection Board The **European Data Protection Board**, or EDPB, was created to help keep data protection law consistent across the EU. It supports consistent interpretation and enforcement while trying to minimise unnecessary impact on commerce. ## National Data Protection Authorities Each Member State has a Data Protection Authority. These authorities act as points of contact for GDPR issues. They deal with complaints, investigations, enforcement, and regulatory guidance. ## Primary jurisdiction An organisation involved in cross-border intra-EU processing will usually deal with the DPA in its primary jurisdiction. This is linked to the concept of main establishment. ### Key point The one-stop shop reduces the need for an organisation to deal with every EU regulator separately for the same cross-border processing issue. --- # Records of processing activities GDPR requires records of processing activities. ## Controller records A data controller must keep records of its data processing activities. These records should include information such as: - what types of data are processed - where the data is processed - how the data is processed - why the data is processed - who receives the data - how long the data is kept - what security measures are used ## Processor records A data processor must also keep records of processing carried out on behalf of a controller. ## DPA access Records can be requested by the Data Protection Authority at any time. ### Key point Good records prove that the organisation understands and controls its processing activities. --- # Data Protection Impact Assessments A **Data Protection Impact Assessment**, or DPIA, is a structured assessment of data protection risks. ## When DPIAs are mandatory DPIAs are mandatory for technologies and processes that are likely to result in a high risk to the rights and freedoms of data subjects. ## Purpose of a DPIA A DPIA helps identify: - what personal data is being processed - why it is being processed - what risks exist - who may be affected - how serious the risks are - what safeguards should be used - whether processing should proceed ## DPIAs and risk assessment Controllers should include DPIAs in their wider risk assessment process. A DPIA should connect with: - data protection by design - data protection by default - security planning - legal compliance - operational procedures ## One DPIA for similar operations A single DPIA can cover a set of similar processing operations if the risks are comparable. ### Example A company using the same customer verification process across several branches may be able to use one DPIA if the risks and processing are genuinely similar. ## Outsourcing DPIAs DPIAs can be outsourced, but the controller remains responsible for ensuring that the assessment is adequate. ### Key point A DPIA is not just paperwork. It is evidence that risks were considered before processing began. --- # Data protection by design and by default GDPR makes privacy by design a legal requirement. ## Data protection by design Data protection by design means considering privacy and data protection from the earliest design stage of a system, process, service, or application. The organisation should ask data protection questions before launching the project, not after something goes wrong. ## Data protection by default Data protection by default means the default settings should protect the data subject. For example: - collect only necessary data by default - make accounts private by default where appropriate - limit access by default - avoid unnecessary sharing by default - apply retention limits by default ## Connection to DPIAs DPIAs often relate to the design phase of an application or process. If risks are identified early, the design can be changed before deployment. ## Technology-neutral nature of GDPR GDPR is technology neutral. It does not list one exact security system that everyone must use. Instead, it requires organisations to implement appropriate technical and organisational measures. This means security depends on factors such as: - risk level - sensitivity of data - state of the art - cost of implementation - nature of processing - scope of processing - purposes of processing ## Proving design consideration Organisations must be able to prove that data protection was considered from the beginning. A Data Protection Authority will want evidence, not just claims. Evidence may include: - DPIAs - design documents - security policies - risk registers - access control records - audit logs - training records - testing records - vendor contracts ## When risks are too high If the risks are too great and cannot be reduced to an acceptable level, the processing should not take place. ### Key point GDPR expects organisations to build privacy into systems, not bolt it on afterwards. --- # Data controller and data processor contracts GDPR places strict duties on relationships between controllers and processors. ## Processor guarantees A processor must provide sufficient guarantees that it will implement appropriate technical and organisational measures. These guarantees must show that: - GDPR requirements will be met - the rights of data subjects will be protected - processing will be secure - processing will follow the controller's instructions ## Supply chain responsibility The requirement moves down the supply chain. A processor cannot simply appoint another processor without authorisation. A second processor, also called a sub-processor, must provide the same level of guarantees. ## Authorisation for second processors A processor cannot engage a second processor without the controller's explicit authorisation. This prevents processors from quietly outsourcing personal data handling to unknown third parties. ## Contractual review Contracts must be reviewed and updated to reflect GDPR duties. They should define: - controller responsibilities - processor responsibilities - liability - security duties - breach notification duties - audit rights - use of sub-processors - data return or deletion - international transfer rules ## Cost impact Higher data protection requirements may increase service costs. Organisations may need to accept that stronger compliance, security, and documentation can cost more. ## Certification and standards Certifications to international standards, such as ISO 27001, can help demonstrate that appropriate technical and organisational measures are in place. However, certification does not remove the need to comply with GDPR. ### Key point A controller cannot escape responsibility by outsourcing processing. The controller must choose processors carefully and document the relationship properly. --- # Data Protection Officer A **Data Protection Officer**, or DPO, is a person responsible for advising on and monitoring GDPR compliance. ## When a DPO is required A DPO is required where: 1. data is processed by a public authority or body 2. the core activities require regular and systematic monitoring of data subjects on a large scale 3. the core activities involve processing large quantities of special categories of data ## Voluntary appointment Some organisations appoint a DPO even where not strictly required. This may be sensible because an organisation's activities can grow or change. A small change in business activity could create a DPO requirement later. ## Shared DPO A group of controllers or processors may share a single DPO, as long as the DPO is easily accessible from each establishment. ## Service contract A DPO can be employed under a service contract. This means the role can be outsourced, provided the person has the required expertise and independence. ## Required expertise A DPO must be qualified based on expert knowledge of data protection law and practices. The DPO should understand both legal rules and operational compliance. ## Reporting line The DPO must report directly to top management. This ensures that data protection remains visible to the board and senior managers. ## Duties of a DPO A DPO's duties include: - informing and advising the organisation - monitoring GDPR compliance - advising on DPIAs - monitoring DPIA performance - cooperating with the Data Protection Authority - acting as a contact point for the Data Protection Authority - supporting awareness and compliance inside the organisation ## Publication of contact details The DPO's name and contact details should be published, for example in a website privacy policy. ## Beyond legal expertise The source material stresses that DPOs need to be more than legal experts. They must also understand the operational requirement to demonstrate appropriate organisational and administrative measures. ### Key point A DPO is not decorative. The role must have expertise, access to management, and practical influence. --- # Data breaches GDPR introduced stronger breach notification requirements. ## Previous problem Under the earlier Data Protection Directive, data breaches often occurred without notification to Data Protection Authorities or affected data subjects. GDPR changed this by requiring notification in many cases. ## Notification to the Data Protection Authority A data breach must generally be reported to the Data Protection Authority within 72 hours of the controller becoming aware of it. If there is a delay, the controller must explain the delay. ## Content of breach notification The notification must follow a specific format and should include information such as: - the nature of the breach - categories of data affected - number of data subjects affected, where possible - likely consequences - measures taken or proposed - steps to mitigate harm - contact details for further information ## Notification to data subjects Where the breach creates a high risk to the rights and freedoms of data subjects, affected data subjects must be contacted without undue delay. ## When data subject notification may not be necessary Notification to data subjects may not be necessary if appropriate protective measures were in place and removed the danger to data subjects. The source material gives encryption as an example. If stolen data is strongly encrypted and the key is not compromised, the risk to data subjects may be lower. ## Incident response Organisations should have incident response and breach reporting processes in place before a breach occurs. These processes should cover: - detecting incidents - escalating incidents - assessing whether personal data is involved - deciding whether notification is required - notifying the DPA - notifying data subjects where required - mitigating harm - preserving evidence - documenting decisions - reviewing lessons learned ## Continual testing Processes should be tested and maintained regularly. This is necessary because the 72-hour deadline is short. The source material notes that ISO 27001 management systems can support this type of process. ### Key point The moment a controller becomes aware of a breach, the clock starts. Good preparation is essential. --- # Accountability and the board GDPR makes data protection a board-level issue. ## Data breach as a board risk A data breach should appear on the board's risk register because of: - potential fines - compensation claims by data subjects - legal costs - regulatory investigations - cyber crime risks - reputational damage - business disruption ## Controller accountability for processors Controllers can be accountable for failures involving processors. This means the board must ensure that processors operate according to GDPR, regardless of where the processor is located. ## Staff who need GDPR knowledge The DPO is not the only person who needs GDPR knowledge. Other roles that need awareness include: - HR staff - middle managers - senior managers - IT staff - security staff - customer service staff - marketing staff - anyone handling personal data ## Training Staff awareness training should support more focused training for managers. Training should help people recognise: - what personal data is - how to handle it safely - what a breach looks like - when to escalate concerns - what rights data subjects have - why documentation matters ### Key point GDPR compliance requires organisational culture, not only legal documents. --- # Encryption Encryption is an important technical measure for protecting personal data. ## Mobile devices Controllers and processors should already be encrypting mobile devices. This is important because laptops, phones, tablets, and removable media are easily lost or stolen. ## Wider encryption Organisations should consider extending encryption across the full data lifecycle, including: - collection - transmission - storage - backup - processing - archiving ## Standards The source material mentions FIPS 140-compliant solutions as an example of recognised best practice. Using strong standards can help show that the organisation took appropriate technical measures. ## Business benefit Strong encryption can: - protect personal data - support GDPR compliance - reduce breach impact - improve trust - help access new markets or clients ## Encryption in transmission Encryption is also needed when personal data is transmitted. Secure connections should be used for data transfer. The source material states that SSL is no longer considered secure and that TLS 1.2 or higher is the new minimum for secure connections. ### Key point Encryption is not the whole of GDPR compliance, but it is a major protective measure. --- # International transfers GDPR restricts transfers of personal data outside the EU where protection may be weakened. ## Core requirement GDPR requires that protections are not undermined by transfer. Controllers must ensure that safeguards exist so data subjects still have: - protected rights - effective legal remedies - adequate security - enforceable protections ## Why international transfers are risky If data is sent to another country, the receiving country may not have equivalent privacy protection. This can create risks such as: - weaker legal rights - limited enforcement - government access - poor security standards - lack of remedies for data subjects ## US-EU Safe Harbour Framework The source material discusses the US-EU Safe Harbour Framework. Under Safe Harbour, US organisations could state that they followed certain principles and FAQs to meet the requirements of the Data Protection Directive. This allowed certified organisations easier access to the European market as data processors. Safe Harbour was dismantled in 2015. ## EU-US Privacy Shield The EU-US Privacy Shield replaced Safe Harbour. The source material states that personal data exchanged under this agreement would be governed by GDPR. For study purposes, treat Safe Harbour and Privacy Shield as historical examples of international transfer frameworks and the difficulty of maintaining adequate protection when data moves outside the EU. ## Adequacy decisions The European Commission may recognise some countries or international organisations as providing adequate protection for personal data. Where adequacy exists, controllers and processors can transfer data to those places without additional authorisation or safeguards beyond normal GDPR requirements. The Commission maintains a list and may remove recognition if protection is no longer adequate. ## Binding Corporate Rules Binding Corporate Rules, or BCRs, allow controllers and processors to transfer data within a corporate group if legally binding and enforceable protections are in place. BCRs must protect the rights of EU data subjects. They can be based on models approved by a Data Protection Authority, or an organisation can develop its own rules. However, the rules must cover the required GDPR content and must be approved by the Data Protection Authority. ## Codes of conduct and certifications Codes of conduct and certifications to international standards may also help identify organisations that provide appropriate safeguards. GDPR encourages Data Protection Authorities to develop codes of conduct and encourage data protection certifications. ## Cloud providers International transfer rules are especially important when choosing cloud providers. An organisation must know: - where the cloud provider is based - where the data will be stored - where the data may be accessed from - whether adequate safeguards exist - whether data subjects have effective legal remedies ## Illegal transfers Because controllers and processors are accountable for data they process, any transfer outside GDPR-approved arrangements may be illegal. ## Penalties The highest penalties can apply to poor practice in international transfers. ### Key point Before sending personal data outside the EU, an organisation must identify the transfer mechanism and document the safeguards. --- # Additional considerations The source material includes several related issues that affect GDPR compliance and data protection practice. --- # Changes to cookies law ## E-Privacy Directive The Directive on Privacy and Electronic Communications, also known as the E-Privacy Directive, became controversial when it came into force in 2011 and has remained controversial. It is often associated with cookie consent. ## GDPR and cookies GDPR mentions cookies to clarify that cookies may be treated as online identifiers. This matters because online identifiers can be personal data. If cookies identify or track a person, GDPR may apply and consent may be required. ## Consent and exemptions The European Commission announced in 2016 that it would evaluate the E-Privacy Directive, including possible exemptions for consent. The source material notes that GDPR does not always require consent where processing is necessary for performance of a contract or to take steps requested by the data subject before entering into a contract. ## E-commerce example An e-commerce website may use a cookie to track items in a shopping basket before the customer completes a purchase. This processing may be necessary as a step leading to a contract. ## Possible future direction The source material suggests two possibilities: 1. cookies may need to be more clearly announced and consented to 2. some specific cookie uses may remain unaffected ### Key point Cookies are not automatically harmless. Where they identify or track users, they can become personal data issues. --- # EU Network and Information Security Directive The EU Network and Information Security Directive, or NIS Directive, aims to improve cybersecurity at national and EU level. ## Aim of the NIS Directive The NIS Directive seeks to establish national cybersecurity functions that affect businesses and other organisations. It aims to make infrastructure more secure and improve public trust in everyday technologies. ## Competent authority The Directive seeks to establish a competent authority for cybersecurity in each Member State. This authority is responsible for helping ensure that national infrastructure is secure from cybersecurity threats. ## Economic purpose A more secure national infrastructure is expected to support the digital single market. Reliable and stable services make it easier for organisations to compete in the single digital marketplace. ## Incident reporting The NIS framework may create another authority to whom threats and incidents must be reported. The source material raises a concern that if the competent authority is connected to security services, this could create tension with openness about breaches. ## Possible tension with GDPR If details of data breaches are restricted or censored, this could create tension with GDPR's breach notification requirements. ### Key point Cybersecurity regulation and data protection regulation overlap. Organisations may have reporting duties under more than one framework. --- # IP addresses and personal data The source material states that GDPR treats IP addresses as personal data where they can identify a person. ## Why this is controversial Privacy campaigners and courts have debated how far IP addresses identify individuals. An IP address may sometimes help identify a user, but it may not prove: - who was using the device - where the person precisely was - whether the same person used the address each time Dynamic IP addresses can change. Shared networks can also make identification difficult. ## Legal concern The source material refers to a German case concerning whether website and application providers should store dynamic IP addresses for longer than necessary to deliver content. The argument was that IP addresses should be treated as personal data and not used beyond basic content delivery unless a lawful basis exists. ## Practical impact Organisations that use IP addresses for purposes beyond content delivery may need to: - identify a lawful basis - seek consent where appropriate - limit retention - document the purpose - avoid unnecessary use - consider anonymisation or pseudonymisation ## Evolving scope of personal data The source material expects that courts across the EU will continue to interpret the scope of personal data over time. ### Key point Whether a data point is personal data can depend on whether it can be linked to a person in context. --- # Complying with GDPR GDPR compliance is not a single task. It is an ongoing organisational process. --- # Repercussions of non-compliance ## Administrative fines Organisations can face fines of up to: - 20 million euro, or - 4 percent of global annual turnover The higher amount applies. The source material gives Google as an example of a company where the percentage-based calculation could create very large liability. ## Certification body exposure Certification bodies involved in certification schemes can also face fines if they fail in their responsibilities. This means a single breach may affect: - the data controller - one or more data processors - sub-processors - certification bodies - other parties involved in the processing chain ## Need to understand obligations Because penalties can apply broadly, organisations must understand their own obligations and exposure. If there is concern about compliance, legal advice should be sought. ## Other regulators Fines from other regulators may be smaller than GDPR fines, but combined penalties and actions can still be significant. ## Reputational damage Reputational damage can be severe. A breach or compliance failure may cause loss of: - customers - clients - suppliers - public trust - business opportunities ## Top-level support GDPR compliance needs support from the top of the organisation. Without board and senior management support, it is difficult to implement the necessary policies, processes, training, technical measures, and cultural changes. ### Key point The cost of non-compliance is not only a fine. It can damage the entire organisation. --- # Understanding your data: flows and processes The first practical step toward compliance is understanding the data. ## Data audit An organisation should carry out a data audit to identify: - what personal data it holds - why it holds the data - where the data came from - who the data has been shared with - where the data is now stored - what legal basis applies - what must be done to comply with GDPR ## Reviewing data collection processes The audit should include existing processes for gathering personal data. The organisation must check that there are clearly identified business and legal grounds for collection. It must also ensure related processes comply with GDPR. ## Mapping data flows A data flow map should show where personal data enters and leaves the organisation. This includes points of: - ingress, where data enters - egress, where data leaves - transfer to processors - return from processors - storage - deletion - archiving ## Identifying information assets The organisation must be clear about which information assets count as personal data. The source material gives photographs as an example. Photographs can identify individuals, so they will often be personal data. Other examples include: - HR files - customer databases - CCTV footage - email records - student records - medical records - payment records - login logs - IP addresses - device identifiers ## Physical location of data The organisation should know where data physically resides. If cloud services are used, the organisation must know: - where the cloud supplier is based - where the data is stored - where it may be accessed from - whether data is transferred outside the EU - whether sufficient safeguards exist - whether legal protections and remedies are available for data subjects ## Physical records GDPR is not only about digital records. The audit should also include physical records such as: - HR records - historical records - paper files - signed forms - printed reports - archive boxes The source material notes that historical records still matter if the data subjects are living. ## DPIAs for existing data An organisation can carry out a DPIA for information it has already collected, not only future processing. This can reveal weaknesses in current operations and identify what needs to be fixed. ### Key point You cannot comply with GDPR properly unless you know what data you have and where it goes. --- # Documentation GDPR requires strong documentation. Documentation proves that the organisation has taken compliance seriously and can explain its decisions. ## Why documentation matters If a supervisory authority investigates, the organisation needs evidence. Useful evidence may show that the organisation: - applied best practice consistently - kept audit trails - notified the DPA within required timeframes - notified affected data subjects where required - took steps to reduce harm - maintained policies and procedures - trained staff - reviewed risks - protected personal data Good documentation can reduce the chance of a severe fine. ## Controller and processor documentation There are different documentation requirements for controllers and processors. However, the burden usually falls heavily on the controller because the controller often faces consequences even where a processor is involved. If a controller outsources processing functions, it should obtain assurances that those functions are properly documented. ## Important documentation The original material identifies these especially important records: 1. statements of the information collected and processed 2. the purpose of processing 3. records of consent from data subjects or holders of parental responsibility 4. records of processing activities under the organisation's responsibility 5. documented processes for protecting personal data 6. information security policies 7. cryptography policies 8. procedures for handling data securely ## Additional useful documentation A mature GDPR compliance programme may also include: - privacy notices - retention schedules - data sharing agreements - processor contracts - sub-processor authorisations - DPIAs - breach response plans - breach logs - training records - access control policies - audit reports - risk assessments - data subject request procedures - international transfer assessments - encryption standards - backup and deletion procedures ### Key point In GDPR, being compliant is not enough. The organisation must be able to prove it. --- # Exam-focused summary ## Privacy before GDPR Privacy developed from ideas such as the right to be left alone. In Ireland, privacy was recognised through constitutional interpretation and court cases. Important cases include: - McGee v Attorney General - Kennedy and Arnold v Ireland - Haughey v Moriarty - Redmond v Flood - Bailey v Flood - Norris v Attorney General - DPP v McCann - National Irish Bank v RTE - Ahearne and Ahearne v RTE - Von Hannover v Germany - McGrory v ESB - Douglas v Hello! - Jane O'Keefe v Ryanair ## Core GDPR definitions Know these: - data controller - data processor - data subject - personal data - biometric data - genetic data - consent - binding corporate rules - cross-border processing - data concerning health - filing system - main establishment - data breach - processing - profiling - pseudonymisation - representative - supervisory authority ## Article 5 principles Personal data must be: 1. lawful, fair, and transparent 2. collected for specified, explicit, and legitimate purposes 3. adequate, relevant, and limited to what is necessary 4. accurate and up to date 5. kept only as long as necessary 6. processed securely ## Major data subject rights in these notes The source material focuses especially on: - consent - withdrawal of consent - right to be forgotten - data portability - judicial remedies - compensation ## Major organisational duties Organisations must: - identify lawful bases - minimise data - keep records - protect data - conduct DPIAs where required - build privacy into design and defaults - manage processor contracts - appoint a DPO where required - report breaches within 72 hours where required - notify data subjects where there is high risk - document compliance - train staff - manage international transfers lawfully --- # Quick revision table | Topic | What to remember | |---|---| | Privacy | Older than GDPR and linked to dignity, home, communications, family, and private life. | | GDPR | Main EU framework for personal data protection. | | Personal data | Any information relating to an identified or identifiable natural person. | | Controller | Decides why and how data is processed. | | Processor | Processes data on behalf of the controller. | | Consent | Must be freely given, specific, informed, and unambiguous. | | Right to be forgotten | Data may need to be erased in certain circumstances. | | Data portability | Data subjects can receive or transfer their data in machine-readable format. | | Lawful basis | Processing must fit a lawful basis such as consent, legitimate interests, or public interest. | | Special category data | Sensitive data with stricter rules. | | DPIA | Required for high-risk processing. | | Privacy by design | Build data protection into systems from the beginning. | | DPO | Required for public authorities, large-scale monitoring, or large-scale special category processing. | | Breach reporting | DPA notification generally within 72 hours of awareness. | | Encryption | Important technical safeguard for storage and transmission. | | International transfers | Must not undermine GDPR protections. | | Documentation | Needed to prove compliance. | --- # Final takeaway GDPR is built around one central idea: organisations must respect the rights of individuals when handling personal data. That means an organisation must know what data it holds, why it holds it, how it uses it, who receives it, how long it keeps it, how it protects it, and how it will respond if something goes wrong. Privacy began as a broad right to be left alone. GDPR turns that idea into a detailed operational framework for modern digital information.