The GDPR – Data Protection in a Digital Age
The Clock is ticking for Irish Businesses to get GDPR Compliant
In Ireland, the main law dealing with Data Protection Legislation is the Data Protection Act 1988, which was amended by the Data Protection (Amendment) Act 2003. These will both be replaced by the General Data Protection Regulation (GDPR).
The GDPR is a new piece of Data Protection Regulation which will become law across the EU on the 25th of May 2018. The GDPR represents the biggest change to Data Protection Law in the past 20 years.
The new regulation covers all businesses operating in the EU and will require businesses to put a much stricter focus on data protection. Notwithstanding this, a significant amount of Irish businesses have not yet implemented any programme to ensure compliance with the GDPR by May 2018.
New Regulations will address privacy needs and concerns in the Digital Age.
There have been significant developments in Technology and Data Protection since the existing Data Protection Laws were enacted. Google was in its infancy in 2003 and Facebook, Twitter, LinkedIn, WhatsApp and Spotify were not yet invented. The current Regulations are ill equipped to deal with the explosion of the digital economy and the volume of consumer data used and stored by businesses. The GDPR addresses these inadequacies by seeking to safeguard the privacy rights of individuals in relation to the processing of their personal data by organisations. These measures will help improve trust in the digital economy.
Changes
The headline items for Organisations that collect or process EU citizen records are;
· Consent will need to be evidenced at every step. This means business owners will have to ensure that their procedures are reconfigured so that it becomes easy to prove that each individual engaged with the business has properly agreed for their data to be processed through an easy-to-understand contract.
· The GDPR strengthens the rights that individuals have to control their own personal data and how that data is used. This should help improve trust in the digital economy
· GDPR includes a personal data breach notification rule. This says that when a breach of security occurs, this breach should be reported to the Supervisory Authority within 72 hours.
· The GDPR (and therefore the European privacy laws) also applies to organisations that are not located within the EU, but that do offer goods or services to, or monitor behaviour of data subjects in the EU.
· The data subject’s right to erasure of his personal data is now enhanced
· The GDPR includes security measures to ensure the confidentiality, integrity, availability and resilience of processing systems.
· Businesses must keep an inventory of all personal data processed and the purpose for processing the data.
· Arguably, the most significant change is that the GDPR introduces the principal of accountability and sanctions. The GDPR will have significant and wide ranging impacts, including fines of up to 4% of global turnover or €20m (whichever is greater) in the case of a breach.
The clock is officially ticking for organisations to get their data protection policies in order
It is imperative that Irish businesses take appropriate steps now to ensure that their business is GDPR compliant and now is the time to act. Below is a non-exhaustive list of steps
· Make an inventory of all personal data held by your business.
· Review your privacy procedures and ensure all customers are fully informed about how you use their data.
· Implement procedures to be followed to deal with data access requests; Note the new time scale of one month to process requests has replaced the old 40 day rule.
· Implement procedures to ensure the obtaining and recording of consent to process personal data is in line with GDPR standards. Ensure your business has a proper system to verify ages and gather consent form Guardians.
· Ensure your business has an effective procedure in place to monitor, detect and report data beaches
Helpfully, The General Data Protection Regulation (GDPR) has launched a GDPR-specific website www.GDPRandYou.ie with guidance to help individuals and organisations become more aware of their enhanced rights and responsibilities under the General Data Protection Regulation.
Finally, the effects of the GDPR will differ per organisation and we are more than happy to provide you with tailored advices. Should you have any specific question on the GDPR or privacy and data protection within your business or organisation, please contact us.
Georgina O’Halloran
Solicitor
BDM Boylan Solicitors,
Clarkes Bridge House,
Hanover Street,
Cork.
021 431 3333