The General Data Protection Regulation (“GDPR“) will come into effect on 25 May 2018 replacing the existing data protection framework under the EU Data Protection Directive. It has been described as the most ground-breaking piece of EU legislation in the digital era. The aim of GDPR is to make businesses more accountable in data privacy compliance and offers citizens extra rights and more control over their personal data.
The Data Protection Commissioner has published a useful guide entitled “The GDPR and You” (Found Here). What follows are some of the key elements effecting organisations under GDPR. Full details are available from www.eugdpr.org
Territorial Scope: Any organisation, whether established in the EU or not, processing the personal data of data subjects located in the EU, and data controllers and processors established in the EU, will be subject to the GDPR. This will also affect non-EU businesses with websites directed at the EU, such as online advertisers and e-commerce businesses.
Data Protection Impact Assessments (“DPIAs”): DPIAs will be mandatory in respect of any project where “high risk” data processing is envisaged, including profiling, large scale processing of special (sensitive) categories of personal data or large scale processing of public areas.
Consent: Data subjects must freely give specific, informed and unambiguous consent to the processing of their data. The GDPR also gives EU member states discretion to decide what the minimum age will be for data subjects to consent to processing of their personal data.
Privacy by Design: Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall implement appropriate technical and organisational measures, in an effective way, in order to meet the requirements of this Regulation and protect the rights of data subjects‘. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Data Protection Officer: Organisations whose core activities involve regular and systematic monitoring of individuals on a large scale, or involve processing large quantities of sensitive personal data, must appoint a Data Protection Officer (“DPO”). DPOs must be expert in data protection law and privacy. They must also be able to act independently and report directly to senior management within organisations. Many small organisations and SME’s that meet the criteria requiring a DPO may opt to outsource the responsibilities of the DPO.
SHOULD YOUR COMPANY APPOINT A DATA PROTECTION OFFICER (DPO) UNDER THE EU GDPR?
Data Breach Reporting: Breaches must be notified to the Supervisory Authority within 72 hours, unless the breach is unlikely to result in a risk to rights and freedoms of individuals. Where this risk is high, affected data subjects must also be notified without undue delay.
Enhanced rights of the individual: Data subject rights have been supplemented to now include:
a right to be forgotten (de-listed);
a right to restriction of processing; and
a right to data portability.
The practical implementation of the new rights (in particular, data portability) is likely to represent significant operational and technical challenges for organisations.
Fines & Enforcement: The GDPR significantly increases the scope and nature of administrative fines for non-compliance, with the effect that failure to address data protection compliance obligations could prove very costly, in financial terms, for businesses. Organisations will be potentially subject to fines of up to:
€10 million or 2% of total worldwide annual turnover (whichever is greater) for serious breaches; and
€20 million or 4% of total worldwide annual turnover (whichever is greater) for very serious breaches.
In addition, and for the first time under Irish law, data subjects will have a right to sue for non-material damage in addition to material damage arising from data privacy breaches.
The GDPR will have a significant impact for all organisations doing business in Ireland and the EU. With the transition period now underway, it is vital for organisations and compliance officers to begin preparing for what will be the biggest change to data protection laws in over 20 years.