Latest Blog Posts

February 2018

The Irish Data Protection Bill - Thoughts (part 1)

The Irish Government have published their Data Protection Bill 2018, which is intended to legislate for the areas of the General Data Protection Regulation (Regulation 2016/679/EU) which allow for Member States to define their own rules, and is also intended to transpose into Irish legislation the Data Protection Directive for Law Enforcement (Directive 2016/680/EU).

This should be a generally straightforward thing. 

The Data Protection Bill and Data Sharing Bill - some initial thoughts

The Irish Government has this week published the draft of the Data Protection Bill 2018. This legislation purports to give effect to the General Data Protection Regulation, but it contains extensive carve outs and exemptions for Public Sector organisations and Public bodies, not least the proposal to exempt such organisations from the administrative fines proposed under the GDPR (see .

January 2018

And we're back...

This website and blog have been a little bit quiet for the last while. There's been a lot going on.

March 2016

The difference between Information and Data

Back in February my brother asked us to take a look at some data for his Resident's Association. The data related to AirBnB listings in Dublin city centre. We don't do a lot of pro-bono work, but I'd forgotten to get him a Christmas present or a birthday present and was feeling guilty so I agreed to look at the data.

To solve problems, first define them

One of the great things about running a boutique research-driven consultancy in the Information Governance/Quality/Privacy space is that we get asked by clients to look at interesting things and figure out not just what the opportunity is that exists in the problems and challenges of today. What are the things that are happening in the information space that are creating risks as people "run with scissors" to adopt new technologies and ways of working without necessarily understanding the full range of issues and risks.

February 2016

Data Retention, POSMAD, and the Fair Processing Notice

In a previous post I advocated strongly for an evidence based approach to Data Retention schedules in organisations, with the emphasis being on avoiding "indefinite" retention periods or "L'Oreal" like retention rationales ("because we're worth it").

Data Retention & Risk

We have been working on Data Retention policy reviews for a number of clients recently. One element of our approach is a benchmarking exercise against peer organisations domestically or internationally to assess the "reasonableness" and proportionality of proposed retention periods. In one review we found that domestic peers had identified quite a lot of "Retain Indefinitely" retention periods. Coincidentally, these were applied to records which related to accidents, incidents, and activities that service users of the organisation might be involved in.

Safe Harbo(u)r - What can organisations do now?

So, Safe Harbo(ur), much like the Norweigan Blue Parrot, has joined the choir eternal. The Article 29 Working Party are clear - it is no longer a lawful basis under which data can be transferred to the United States.

While we await confirmation of the adequacy of the Privacy Shield (see here and here for our thoughts on that), organisations are faced with either getting their US-based suppliers to adopt Model Contract Clauses (which may not be a long term solution), or finding EU hosted services to replace the functionality of these services.

Privacy Shield: Mission Accomplished?

The Privacy Shield deal is done. Allegedly. It is being hailed as "mission accomplished" by the negotiators. To borrow from Simon McGarr's excellent metaphor, it appears the warship and the lighthouse have reached a mutual solution that required less movement than we expected.

Mission Accomplished indeed.

January 2016

Our most requested slide of 2014-2015


This post is a short one we have prepared ahead of Data Privacy Day. Our most requested slide in Data Protection presentations since 2014 has been our "One Slide Summary of the GDPR". It has been through a few iterations but still stands up to the task of explaining how the different elements of the GDPR interact. We've extended it to include our 11-box model for Information Governance and Information Quality to show how the requirements of the GDPR relate to key governance areas in the organisation.