In our GDPR series, we want to share some helpful GDPR tips for businesses.

We are fortunate to have a very proactive Local Enterprise Office in Wicklow.  They host some great events for businesses in the area.  One such event was their seminar on GDPR, presented by Ruth Hallinan from Data Privacy Solutions.

General Data Protection Regulation (GDPR) comes into force on 25th May, 2018 and it seems that businesses are not ready for the upcoming changes.  As a business, if you hold data on either your customers or employees you need to keep it secure.  As Ruth says “data should be part of your process.”

Ruth spoke at length about GDPR with great knowledge and insights from a business perspective.  We’ll share some of what she spoke about today with you.

  • Data can be either automated or structured manual data
  • Data covers living persons, not deceased
  • Data can cover reference to an identifier (e.g. an IP address)

Interestingly, GDPR does not apply to anonymous data.  So this is worth knowing if you’re in the business of market research, for example.  By keeping research collected anonymously, you’re off the hook for GDPR!

Pens were jotting lots of notes and ears perked up quite a number of times during the morning with Ruth.  She asked if your business is the data controller or the data processor.

  • A Data Controller is a person who controls the content and use of personal data and determines the purpose and means of processing.
  • The Data Processor is a person who processes personal data on behalf of the data controller.

Ruth pointed out that it’s good to establish with third party providers, in contracts, who has the GDPR obligations if the processor or controller.  She also mentioned that when it comes to compensation, if there is a breach of data protection that your contract locks down who is responsible for breaches.

‘We are all data subjects,” says Ruth.  By definition a data subject is an individual who is the subject of personal data.  She pointed out that we sign up to lots of “free” apps in return for us providing these businesses with our personal data.  Facebook springs to mind.  How many services do we sign up for without reading the terms and conditions and just scrolling to the end and clicking “I agree”?

One of the best pieces of advice Ruth gave was to learn how to wipe your phone remotely if t is lost or stolen.  This is so data doesn’t get into the wrong hands.

Another of her great tips was to get your laptop encrypted.  If it is encrypted when it is lost or stolen, then it doesn’t fall under GDPR.  It also means that you’re keeping customer and/or employee data secure.

Finally, if your third party suppliers have their servers storing your customer’s data outside of EEA, then breaches will apply where the server is stored.  For example, if you use MailChimp (an email marketing provider), their server is currently stored in the United States of America.  It is worth keeping in mind where exactly the server is stored that holds that precious data.

GDPR may mean something different for every business, but the main thing is that you get your business ready for 25th May, 2018.  The Data Protection Commissioner has some great information on their website, so keep up to date at

If it’s all too much for you to take in, then please do ask us for help –