Back to top
State of Cookies September 2021 Small Data Requests
Are you making international data transfers?
Data Protection Pitfalls Updating Website
Impact of Cookie Guidance on Web Developers
Introducing the Cookie Check Tool
Cookies: your digital first impression
Living with COVID Tracker Ireland
Forty Years of Privacy
Relationships
Data Protection Programme

Data Protection from the Outside

data protection
outside
ePrivacy
Data Protection from the Outside

Mary and Angus Hogg / Small Businesses /

What does your data protection posture look like to your employees, customers, and prospective customers? That is data protection from the outside.

A review of the outside edge of your data protection considers the points at which you may be collecting personal data. You can use the Data Protection at the Edge Survey to help identify where personal data is collected.

Premises

CCTV cameras collect data as people come into view of the cameras. It doesn’t matter whether the cameras are inside or outside. If people believe you have recorded them, they have a right of access to a copy of the recording.

Companies keep registers of visitors for security and safety purposes.

If you are taking payments, you need to consider how this data is protected.

Vehicles

Dashcams collect personal data when they are recording. If the vehicle is carrying the public, then it may be capable of tracking people. You may track your commercial and sales fleets for efficient scheduling. These tracking data can also be personal as, while they relate to the car or van, they may also be associated with the driver.

Online

Online services are increasingly important for the marketing of businesses and frequently are the starting point for a sales process. Even a simple site may be using cookies and subject to the ePrivacy regulations. Links with social media sites such as Facebook and Instagram may be configured to provide personal data of the people who click on the links to the social media companies.

A site offering products for sale may be collecting personal data to process payments or establish an account and login to encourage repeat business. A simple site may just collect name and contact details for a follow-up sales contact.

Why this is important

When you collect data, you become the data controller. As the data controller, you are obliged to service the GDPR rights of the data subject:

  • Information about the collection of data
  • Access to the data collected
  • Rectification of errors
  • Right to be forgotten
  • Restriction of processing
  • Data portability
  • Object to specific processing
  • Not to be subjected to automated decisions or profiling
Example of Data Protection Relationships for Website

Example of Data Protection Relationships for Website

While you may use other companies to collect, process or store the data, these companies are data processors. You are responsible to the data subject.

The figure illustrates the data protection relationships that may be involved in producing and operating a website.

During the design of the site, the designer had access to personal information as content for the website’s “about” pages. They backed up this information with their supplier of backup services.

The ongoing hosting operations displays the same personal data on the live site. The website also uses a Cookie Management Provider which uses cookies to track the cookie consents of visitors. The hosting company also backs up operating data, including logs of the contact form information to a third party.

The visitors will consider the owner the data controller and address all of their data protection concerns and requests towards them. The owner is responsible for ensuring that the site is created, operated and maintained in compliance with the requirements for GDPR through the controller/processor relationships.