GDPR Where are we now?

Where Are We Now?

The proliferation of the internet, the digital world or the parallel universe (as it is now becoming to be known) is self-evident when we consider the ways it is used daily for instantaneous communication and ecommerce activities.

Interestingly, in the 10 years from 2009 to 2019 the share of households in the European Union (EU) with internet access rose to a high of 90%, up from 64% at the beginning of that period. The number of individuals aged between 16 to 74 in the EU who ordered or bought goods and services over the internet was 60% in 2019, up from 46% in 2014. The global e-commerce market size was valued at USD 9.09 trillion in 2019 and expected to grow at a compound annual growth rate of 14.7% from 2020 to 2027.

As more people were “entrusting their personal data with cloud services”, the European Commission set out to replace the 1995 European Data Protection Directive and in 2012 made the decision to “strengthen online privacy rights and boost Europe’s digital economy”.

On 14 April 2016, the General Data Protection Regulation (GDPR) was formally adopted in the European Parliament and was subsequently implemented on 25 May 2018, from which time, compliance was mandatory.

The European Commission defines personal data as ‘any information that relates to an identified or identifiable living individual’. In addition, when various bits of information collected can lead to the identification of a particular person, this is also deemed to constitute personal data.

The GDPR set out to reinforce existing rights and to establish new rights for individuals, such as the right of data portability, the right not to be profiled and the right to be forgotten. It also established the role of data controller, the person/entity who decides why and how personal data will be processed, and data processor, a third party that processes personal data on behalf of a data controller.

Seven principles underline the GDPR, one of which is a new addition – accountability. In effect the data controller is responsible for being able to demonstrate GDPR compliance with all principles.

The implications of the GDPR since its implementation in 2018 have been far reaching. Although it is an EU Regulation whereby all personal data within the EU is subject to its rigours, organisations outside of the EU must also comply in so far as their processing of data relates to goods or services being offered to people based in the EU or monitoring online behaviour of users in the EU. These rules apply regardless of the country in which the company carrying out this data processing is based in.

A few justifications in the GDPR allow for companies to legally obtain, process, and store personal data. Among these justifications is processing personal data when it is necessary to perform a task in the public interest or to carry out an official function.

The 31 Local Authorities across Ireland are, under statutory provisions, tasked with the inspection and enforcement of the regulations which prescribe minimum standards for the rented accommodation in each of their catchment areas.

The Housing Acts 1966 and 2014 assign the responsibility to the Local Authorities while officers of the Local Authority, under section 18(2) of the Housing (Miscellaneous Provisions) Act 1992, are authorised to access rented properties for the purpose of rented house inspections.

The purpose of these inspections is to ensure that rented properties comply with a specific set of minimum standards as per the current Housing (Standards for Rented Houses) Regulations 2019.

Having specialised in the PRS sector since 2010 and being the only indigenous company to have developed a customised mobile application around the rented housing standards, several Local Authorities have entered into a contract with Inspex for the provision of private rented sector property inspections. In doing so, Inspex has assumed the role of the Local Authorities’ inspection team.

Under the GDPR legislation data processing agreements must be put in place between the data controllers i.e. Local Authorities/Inspex and the data processors i.e. Inspex/Local Authorities. Contractual agreements are, of course, in place between Inspex and the Local Authorities.

While Inspex itself respects the data privacy of the individuals with whom it engages in the provision of inspection services on behalf of our Local Authorities, it has also agreed to process data in line with the terms of its contracts.

Despite the onerous requirements under GDPR with which businesses both within and outside of the EU must now comply, most companies have risen to the challenges. Implementing safe and compliant ways to collect, process and store data is necessary and while it might require some extra effort, organisations must continue to monitor their operating processes to ensure compliance.