Adding on to last year’s brief introduction on the GDPR, let’s have a more in depth look at the new legislation.
What is GDPR and why?
With the aim to protect all EU citizens from data breaches and to support their right to privacy, the new data protection Regulation has come into force as of today. Let’s discuss its importance in this steadily data-driven world we live in. Below, we shed some light on a few major changes that GDPR will enforce; what organisations need to do to be best prepared for this legislation. It will replace all present data protection regulations in the EU.
The GDPR was approved by the European Union Parliament in April 2016 after four years of discussion. Organisations that are non-compliant will be eligible to pay heavy fines.
The main law in Ireland regarding data protection is the Data Protection Act 1988. This was amended by the Data Protection (Amendment) Act 2003. Both will be replaced by the GDPR. The intention is to simplify and compliment the EU’s regulatory environment. A single set of regulations has been developed and enforced this month. The main objective is to protect the data privacy of all EU citizens.
Why is it being implemented
Technology has come a long way since 2003. Fifteen years ago Google and LinkedIn were in infancy stage. WhatsApp, Facebook, Twitter, Spotify etc. had not yet been developed. There has been an explosion in the amount of consumer data being used and stored by businesses in the last fifteen years across the world. Hence, it becomes vital to update and improve existing data protection laws in lieu of growing cyber security risk. There have been an increased number of data breaches and thefts in recent years. Therefore, the motive behind the new regulation is to build trust in the digital industry. GDPR will bring about a simpler regulatory environment but will require a change of practice and procedures in most organisations.
Whom does it apply to
The GDPR applies to all organisations that hold and/or process personal data of EU citizens regardless of its location. The new Regulation is applicable to any company that offers goods or services to EU data subjects. It covers all businesses operating in the EU and all states are subject to the same Regulation. Hence, GDPR also creates equal rights and opportunities. Furthermore, the new rules will be applicable even when a company based outside the EU stores information on EU citizens on a cloud storage service. The GDPR requires all non-European based businesses that monitor consumer behaviour in the EU or processes information of EU citizens to assign a representative.
GDPR & Irish law (Data Protection Act): What changes?
It is crucial for all business to implement the GDPR by carrying out an in-depth analysis of all present procedures and processes in line with the GDPR. The majority of the key principles, concepts and approach of the GDPR remain the same as those in the existing Data Protection Acts 1988 & 2003. Therefore, if an organisation is compliant to the existing Irish laws, it should face less hassle implementing the GDPR. Having said that, the GDPR will bring in significant developments and new elements to improve transparency and manage data protection. It is in the best interest for businesses to plan their approach to the GDPR to ensure early compliance and avoid penalties.
Gathering Personal Data & Consent
The existing legislation requires that the customers be informed of the company’s identity and reasons for gathering personal data. Consumers must also be made aware of the purpose(s) of information collected, if and where it will be transferred and to whom it will be disclosed. Under the GDPR, consent must be clear and must be provided in an understandable and easily accessible form as well as easily withdrawn. Some additional information, such as the legal basis for collecting and processing data, retention periods, explanation of any criteria that has been implemented to ensure customer satisfaction . In case of complaints, the privacy rights they hold, must also be communicated in advance. The individual privacy rights under the GDPR are the same as in the Data Protection Acts.
Reporting Data Breaches
In Ireland, organisations are required to notify the Data Protection Commissioner (DPC) when they cause a personal data breach. The DPC must be informed of all data breaches within 72 hours, unless the data is encrypted or converted. Breach of confidentiality, identity theft or any other breaches that might directly cause inconvenience to an individual must be communicated to the consumer after becoming aware of the breach.
Data Protection Impact Assessments (DPIA)
A Data Protection Impact Assessment (DPIA) is a risk assessment that will allow a company to recognise potential privacy risks before they arise. The organisation can then develop and implement measures to mitigate such issues. As per the requirements under the GDPR, a DPIA is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The GDPR does not specify an outline for the DPIA process to be followed. It is on the company’s discretion to implement a system that fits well with their existing policies and practices. Such an assessment might prove to be vital in determining the feasibility of future projects.
Data Protection Officers (DPO)
Businesses have to ensure data protection compliance with adequate knowledge, authority and support. Therefore, GDPR requires some organisations to appoint a Data Protection Officer (DPO). Organisations that conduct consistent and regular processing and monitoring of personal data on a large scale, for example government authorities, will be required to designate a DPO. The DPO will be in charge of maintaining internal record-keeping requirements. Submitting registrations/notifications of processing activities to the local DPC will then not be necessary. The DPO may be a designated staff member within the company or can be an external service provider; they must have qualifications and expertise on data protection practices and laws.
Penalties for non-compliance
At present under the Irish Data Protection Act 1988 and Data Protection (Amendment) Act 2003, a company that causes a breach can be criminally prosecuted with fines up to €5,000 and, on indictment, €250,000 per offence. The GDPR however, directs an approach in which fine amounts will depend on the severity of the data breach. Non-compliance can result in a fine as much as to €20 Million or 4% of the total annual global turnover (whichever is greater). An inadequate DPIA could lead to fines of up to 2% of the total annual global turnover or €10 Million (whichever is greater).