NUJ - Irish Newsletter - September 2018

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

4

Irish South West branch discusses the implications of GDPR

By Anna Nolan [Editor’s note: This article is a report of a branch

event, and should not be construed as legal advice. If you have queries about GDPR in your work, please consult your usual legal advisers.]

Do journalists have to change the way they work in order to comply with the EU General Data Protection Regulation (GDPR) that came into effect on 25th May this year? If so, to what extent? And what about our precious, hard-earned contact lists? To answer these questions, the Irish South

West branch invited local solicitor Rossa McMahon of PG McMahon Solicitors in Newcastle West, County Limerick to explain the implications for journalists. Reassuringly, he told us that although there is much that we have to be aware of, and be careful about, we are legally allowed to keep information and personal data necessary for our work, and we definitely don’t have to ask everyone on our contact lists if we may keep them there. His key message consisted of four main imperatives. We must:

• be able to justify that keeping the data is in the public interest; • encrypt our drives; • securely store our notebooks; and

• make sure that we do not accidentally send emails with sensitive personal data to the wrong person. Under GDPR, “personal data" is any

information relating to an identified or identifiable (directly or indirectly) natural person. The definition of “sensitive personal data” is far- reaching. It is data revealing racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation, and even an IP address. There are three key players involved in the

day-to-day workings of GDPR – the data subject, the data controller, and the data processor. Rossa explained to us what this means in practical terms. The data subject is the person that the data is

about. This person has wide-ranging rights under the regulation. The data controller is the person who controls that data. The data processor does things with the data on behalf of the data controller. Under GDPR, data processing includes

anything done to personal data. This affects just about anything done with personal data since it takes in collecting, recording, organising,

Norma Prendiville, Cathaoirleach, South West branch. Photo: Adrian Butler

structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, combining, restricting, erasing or destroying. The data controller may also be the data

processor, or may pass the data to an outside contractor for processing. In this case, the data controller still carries the same responsibilities. A media business is a business, and therefore subject to all the requirements and restrictions of the Data Protection Act 2018 (DPA), Rossa explained. Fortunately, exemptions from some of the

more the more stringent requirements of GDPR apply to us as journalists, if we are processing data solely for journalistic purposes, and if the data controller reasonably believes (a) that publication is in the public interest and (b) that complying with the DPA obligations are incompatible with journalistic purposes. The individual staff journalist is, additionally, in

the fortunate position of not being a data controller. That responsibility rests with the employer. Freelance journalists have to be extra careful though, as generally they are data controllers. “This means that the freelance is responsible

for security,” Mr McMahon stressed. “GDPR doesn’t introduce a necessity for encryption, but you have to be secure, so it’s advisable. “Don’t use free cloud back-up, and make sure

that the servers are based in the EEA and that the password protection is okay.” Branch Cathaoirleach Norma Prendiville

warmly thanked Mr McMahon for his helpful explanations of the implications of GDPR for us. The training session was held in Bunratty Folk

Park, County Clare, on 19th May. It was followed by a branch meeting and lunch. Some family members joined us to enjoy the attractions of the park in the afternoon. Anna Nolan is a member of the South West branch.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20