It was the week before Christmas, when I was chatting about all things security while visiting an Asystec client. Being a Data Protection Officer (DPO) of many years standing and an expert in the subject matter himself, our conversation naturally turned to Data Protection. With GDPR taking centre stage in 2018 and shining a spotlight on data regulations, I was surprised when he instead started discussing the Irish Data Protection Act 2018 (DPA).
During our discussion, I was enlightened about a little-known section of the Data Protection Act 2018 which requires that, systems carrying out automated processing of personal data must have auditing/logging in place. Not too familiar with this particular section, I delved further into the topic.
Known as Section 82, I learned that the data log must record:
- Who accessed data & the time it was accessed.
- When and to whom the data was transferred or
- Why the data was accessed, transferred or disclosed.
- When and why data was combined with other data
- The erasure of data or part of the data
Applicable Systems and Exemptions
Upon further investigation, I learned that Section 82 applies to ALL systems carrying out automated processing of personal data established after 2016 with only the following initial exemptions:
- It does not yet apply to systems established on or before May 6th, 2016, where putting the log in place would cause “disproportionate effort”. These companies have until May 6th, 2023 to get data logging in place.
- It does not yet apply to systems, established on or before May 6th, 2016, where putting the log in place will cause serious difficulties for the operation of the automated processing system. These companies have until May 6th, 2026 to get data logging in place.
While I feel this is a very reasonable approach, essentially allowing 6-9 years to have a system in operation (more than enough time to get a form of logging in place), its downfall came in its communication, or lack thereof. Ironically as the Irish DPA was enacted into law on 24th May 2018, and this requirement was not part of GDPR, systems established between May 2016 and May 2018 had no way of knowing that this requirement existed.
To claim an exemption the controller/processor must write to the relevant minister.
So, what does this mean?
Well for starters the data log cannot be used for any purpose other than establishing the lawfulness of the automated processing itself. The data logs cannot be used for:
- Keeping information about data subjects
- Further processing
- ’Big Data’ or Data Analytics
Retention periods for these data logs are not defined, nor does the Act set specific obligation to audit and monitor the logs but to prove your security obligations an organisation must surely audit and monitor to demonstrate compliance?
To conclude, where personal data is processed by automated means, there is an explicit requirement for controllers and processors to create and maintain a data log, so now more than ever, there is more reason for organisations to ensure they have the visibility they need into both their structured and unstructured data stores, to obtain the necessary information (Who, What, When, Where, Why & How) about their data to ensure compliance. For more detailed information check out this link: http://www.irishstatutebook.ie/eli/2018/act/7/section/82/enacted/en/html
In the every changing landscape of the IT sector, everyday is a learning day!!
Asystec help customers with their compliance and security requirements by focusing controls and remediation on a customer’s key data assets. We take a data-centric approach to better understand the data, gain insight into the risks associated with it, and put controls in place to give confidence to the business that they are not only fulfilling compliance needs but also increasing security and reducing risk.
For more information on how Asystec can help you with your data security needs contact [email protected]