The General Data Protection Regulation (“GDPR”) came into force on the 25 May 2018 and is regarded as the most significant change to the European data protection landscape in twenty years.
The GDPR regulates the processing of personal data inside the EU and of EU residents. As a result, it is likely to impact most EU organisations and various business units including HR, marketing, sales, product development, digital strategy, consumer transactions, tracking, profiling and IT to name a few.
The GDPR is a European Regulation meaning that it will apply directly in all EU Member States from May 2018 without the need for implementing legislation. The GDPR will replace EU and national data protection legislation. In Ireland, the GDPR will replace the 1995 Data Protection Directive, which is the EU legislation on which the primary Irish data protection legislation, the Data Protection Acts 1988 and 2003 (as amended), is based.
The GDPR applies to EU organisations processing personal data and also to non-EU organisations where they offer goods and services to EU residents or monitor their behaviour, even if that processing does not take place in the EU. The extension of data protection legislation to also cover organisations outside the EU is new and will be a challenge for those organisations. As a result, a US company that has no establishment in Europe but which offers goods and services to EU customers, via online, is also be subject to the GDPR.
|Data Protection Officers (“DPO”)||It is mandatory to appoint a DPO in certain instances. A DPO is a specific independent advisory role expected to have expert knowledge of data protection law. It will be responsible for advising the organisation on compliance with the GDPR and acting as a contact point for data subjects and data protection authorities. It could be an external contractor or internal staff member. Does your organisation have a DPO or need to appoint one?|
|EU Representative||Organisations that are not established within the EU but which are subject to the GDPR will be required to appoint an EU representative to act as a point of contact with data protection authorities.|
|Accountability||Not only do organisations have to comply with the GDPR, they must also account for this by demonstrating their compliance. Does your organisation have a data protection programme and is it able to provide evidence of how it complies with the requirements of the GDPR?|
|New data subject rights||Data subjects have enhanced rights under the GDPR, for example, the right to erasure, the right to data portability and the right to object to profiling. In addition, data subjects must be informed of their right to withdraw their consent to processing at any time. As a result, privacy policies and other consent forms will need to be reviewed and updated to take into account the new rights. Does your organisation know how to comply with these new rights?|
There are more onerous notification requirements to comply with in the event of a personal data breach. A data controller in most cases must notify the supervisory authority without delay and not later than 72 hours after becoming aware. In cases of high risks for the data subjects, data subjects generally must also be notified. Would your organisation be able to comply with these requirements and know the procedure to follow?
Data controllers will also be required to maintain an internal breach register documenting incidents of data breaches and the remedial action taken. These are open to inspection by the supervisory authority. Has your organisation a data breach policy and an internal register of breaches?
|Fines||The fines are substantial. There are 2 thresholds for administrative fines, the imposition of which depends upon the nature of the breach. The lower threshold of fines is up to 2% of an undertaking’s global turnover in the previous year or €10 million, whichever is higher. The higher threshold is up to 4% of an undertaking’s global turnover in the previous year or €20 million, whichever is higher. This is a significant change from the current position where the maximum fine is €100,000.|
|Data protection impact assessments (“DPIA”)||DPIA’s are a mandatory prerequisite in respect of any processing where high risk processing is contemplated. High risk processing may involve profiling, large scale processing of special sensitive categories of personal data or large scale processing of public areas for example. The GDPR also suggests that it is prudent to carry out a DPIA on a processor before engaging it. Does your organisation know how to carry out DPIA’s?|
|Privacy by design and by default||Organisations need to ensure that data protection is at the forefront of any new service, product, business system or process development plans, as these must be developed with privacy in mind. In addition, the default user settings must also be privacy friendly. Do you design and build in data protection and privacy requirements into your products, services, business processes and systems?|
|Data processors||The GDPR imposes specific obligations on data processors and more detailed provisions that must be included in controller-processor contracts. As such, contracts with data processors should be reviewed to ensure that they meet the GDPR’s requirements.|
Organisations should familiarise themselves with the requirements under the GDPR. Following this, organisations should review all data processing activities currently undertaken and envisaged by it in order to identify any gaps in compliance with the GDPR and the associated risks. It is also important to review all contracts, privacy notices, consent forms and documentation etc. under which data processing occurs and ensure that these are in line with the GDPR.