25 May will be an important day in the history of this country for more than one reason.

Not only will Ireland decide whether to keep or repeal the Eighth Amendment to the Constitution, but it will also get sweeping new data protection rules.

The General Data Protection Regulation (GDPR) represents the biggest overhaul of data protection standards this country and the wider EU has seen since 1995, putting new responsibilities on those gathering, processing and storing data, and handing back power to those who own it.

So what does it all mean for you (apart from extra traffic through your email inbox as organisations scramble to get your permission to hold your data, which they probably should never have been gathering in the first place)?


GDPR is all about personal data - that is any information relating to an identified or identifiable person i.e. you or me or the guy next door.

This could mean the details you gave a social network when setting up your account, emails you store in the cloud, the medical forms you, as coach, got parents to fill in for their children at the start of GAA training this season, the HR file that your employer holds on you, etc.

The list of potential examples is vast, but you get the idea.

GDPR first of all makes anyone who holds your personal data more accountable.

In other words, they must put in place the appropriate technical and organisational measures to ensure that information is gathered, held and processed according to the new rules.

But further still, they must also be able to demonstrate they have done this, by designing privacy into everything that involves personal data each and every time, by abiding by codes of conduct and by getting certification where possible.


They also need to be transparent and clear in explaining how they process your data.

That should mean no more long, legalese-laden, impenetrable and boring (well maybe they will still be a bit boring) terms of service, or terms and conditions that you tick instinctively as your eyes begin to glaze over.

In particular, where children are concerned those explanations will have to be really clear.

It also means a person or organisation gathering your data will have to be clear about why they are doing this, what the legal basis for doing so is, who will receive the data, how will it be moved around, how long it can be held for, your rights to access or change it, etc.

That should help stop some of the misuse and abuse of data we’ve been hearing about recently, where information is purportedly being gathered for one reason but is actually being moved and used for something else.


One of the most important aspects of the new rules for consumers will be around notifying users and authorities when the security of data is breached.

Under the GDPR the "supervising authority", in our case the Office of the Data Protection Commissioner (ODPC), will have to be told within three days if private personal data is lost or stolen or exposed in any way.

So in other words, if an internet company gets hacked for example and user data is taken, the company will have 72 hours from when it realises this to tell the regulators.

It will also have an obligation to tell its users, in circumstances where the breach puts them at a high risk.

That’s all positive because under the current rules, disclosing the loss of personal data is voluntary, and so it is suspected the vast majority of data breaches are never reported, leaving users at risk of all sorts of problems such as identity theft, fraud or damage to their reputation.

The only real exception to the new rule is that if by telling authorities the rights and freedoms of the people concerned are put at risk, then a breach does not have to be notified.


Consent is a big issue when it comes to many data dependent products and services.

Under GDPR a person must give their consent to their data being harvested and processed "by a statement or by a clear affirmative action".

And the consent must be informed, freely given and clear.

This is another good development as often it is not entirely clear to people what they are consenting to and often this lack of clarity is used by organisations holding the data to gather more than necessary or use it for more than the user ever intended.


People have always had some rights when it came to the protection and privacy of their data, like for example, the right to see what data is being stored that concerns them and to request that it be deleted - the so-called "right to be forgotten".

But often these have been poorly defined, are not extensive enough or are not enforced.

So the GDPR enshrines a whole plethora of powers in law to help the ordinary citizen.

These include a right to access personal data held by a person or organisation about them, a right to move, erase or rectify data, a right to be informed and a right to object to or even restrict the processing of that information.

The rights aren’t completely in favour of the individual - the controller of the data has rights too, and the individual has responsibilities.

But in general, provided the user can prove they have a justifiable reason to have their rights vindicated, then they will win out.

For example, if a person decides they want to restrict or stop a state body from processing data related to them, they can do this if the processing of the information breaks the law, the data is no longer needed by the body or the data is inaccurate.

Or if a person wants to move their data to a different company because they think they might provide a better service, there is a provision for them to do this without being impeded by the company they wish to remove the data from.


Until now, many experts have argued that regulators were pretty toothless when it comes to enforcing data protection law.

Through GDPR that is all about to change.

Because it will give regulators like the ODPC the ability to fine organisations that break the rules up to €20 million or 4% of global turnover for the preceding financial year.

For a small business, club or voluntary body that could be the difference between surviving and not.

For a large company such as Google or Facebook, the hit to the bottom line and by extension shareholders could be enormous.

Google’s parent company Alphabet, for example, had a turnover of $110bn in 2017.

That could mean a fine for a significant breach of up to $4.4bn - not exactly small change.

No surprise then that there has been such a flurry of activity around data protection in recent weeks and months, as companies and other bodies try to get their houses in order.

Is everyone ready? Realistically, probably not. But surveys have shown awareness levels are high.

Indeed, how could they not be with so much focus on the issue of data protection of late.

And so woe-betide those who through their own ignorance, laziness or stupidity have ignored all the warnings.

Because when it comes to GDPR, hard cases will make for good law.

Comments welcome via Twitter to @willgoodbody