GDPR just a day away: everything you need to know
Regulation increases obligations on organisations on how personal data processed
Organisations must obtain your data fairly. They must collect no more data than is necessary for the purposes for which they plan to use it
The biggest changes in European data-protection law in more than two decades take effect from Friday, May 25th, when the General Data Protection Regulation (GDPR) becomes enforceable.
First proposed by the European Commission in January 2012, its provisions are directly applicable in all EU states from Friday, and it replaces the 1995 Data Protection Directive.
The Data Protection Bill 2018, which implements the regulation here, as well as an associated law enforcement directive, was due to be signed into law by President Michael D Higgins this week.
Often described as “technology neutral”, the regulation’s focus is on demanding accountability from organisations into how they collect and process personal data. It takes what is described as a “risk-based” approach to data protection and imposes new obligations, such as mandatory reporting of data breaches within 72 hours.
Individuals have a fundamental right to the protection of their personal data under article 8 of the Charter of Fundamental Rights of the European Union.
While much of the focus on the changes introduced by the regulation has been on the new regime of administrative fines that may be imposed by a data-protection authority, the regulation requires that any such fines be “effective, proportionate and dissuasive”.
Maximum fines are up to €20 million or 4 per cent of annual worldwide turnover, whichever is the greater.
The regulation significantly strengthens the rights of individuals, who will be entitled to compensation from organisations where their rights are breached, even if they do not suffer material damage. The Irish legislation provides that such compensation must be sought in a so-called “data-protection action” before the Circuit Court, which has a monetary jurisdiction of €75,000 or €60,000 for personal injury claims.
A right by individuals to obtain details of the data an organisation processes on them, including details of the other parties it is being shared with, is continued under the new regime. However, organisations must now respond to such requests within one month, rather than the 40 days allowed under the old legislation. They will not be permitted to charge for processing such requests.
Organisations also have an obligation to process data in a transparent manner, in line with the accountability principle built into the regulation.
The new regulation also provides for a “right to be forgotten”, otherwise known as a right to erasure, of personal data in certain circumstances, such as where the data is no longer required for the purposes for which it was originally obtained, or where it has been processed unlawfully. Where an organisation is processing personal data solely based on an individual’s consent, the individual will have the right to withdraw that consent at any time.
Many organisations, including public bodies and government departments, will have to appoint a data-protection officer who must be independent in their role and be able to advise the organisation on data-protection issues at the highest level within the organisation.
A survey of small and medium businesses published by the Data Protection Commissioner last week found a twofold increase in awareness in 2018 among such organisations regarding the major changes to data-protection legislation. There was also a nearly threefold increase in awareness of the start-date for the GDPR.
More than twice as many SMEs this year (52 per cent) had identified steps for compliance with the regulation, compared to 21 per cent in 2017. The number that had assigned a staff member to oversee GDPR preparation was up by 6 per cent to 57 per cent compared to 2017.
Publishing her annual report for 2017 in February, Data Protection Commissioner Helen Dixon said the best results for data subjects were secured “when organisations of all types deliver on their obligations to be fair and transparent”.
“In our experience as a data-protection authority, few organisations disagree with the fundamental principles of data-protection legislation. Quite simply they make sound business and consumer engagement sense.”
Ms Dixon said her organisation had focused very significant resources in 2017 on driving awareness of GDPR so that organisations were “motivated and energised” to make the necessary changes to their businesses.
She said her office firmly believed they should see GDPR as “an opportunity rather than a challenge, and that those who can demonstrate a true commitment to data protection would be rewarded in the marketplace for their services”.
GDPR: What you business, organisation or club needs to know
GDPR increases the obligations and responsibilities on organisations for how they collect, use and protect personal data. You must be able to demonstrate your efforts to comply with the regulation if the Data Protection Commission decides to look at your processing of personal data.
The commission recommends that data controllers should review and enhance their risk-management processes as implementing GDPR could have significant implications for resources, especially for more complex organisations.
You should “map” all the data you hold, and document the reasons you hold it, how you obtained it, why it was originally obtained, and how long you plan to retain it.
Security of personal data is crucial – is it encrypted and how easily accessible is it, both in terms of physical and IT security?
Do you ever share the personal data you hold with third parties, and on what basis might you do so? If so then the people have a right to know this.
GDPR also mandates a “privacy by design” approach to data, where the privacy of individuals should be built in at the start of every project and product.
You will need to do a data protection/privacy impact assessment, particularly if a project or product involves the use of new technologies and the processing is likely to result in a high risk to the “rights and freedoms” of data subjects.
You may need to appoint a data-protection officer. This applies if your organisation is a public body, or if the core activities require “regular and systematic monitoring” of individuals on a large scale.
If a person whose personal data you are processing requests their data (a “subject access request) you have one month to comply, and you may not charge for this. Under the old legislation an organisation had 40 days and could charge a maximum fee of €6.35.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
GDPR introduces mandatory breach notifications to the data-protection authority. All breaches must be reported to the DPC, typically within 72 hours, unless the data is anonymised or encrypted.
Any breach that is likely to cause harm to an individual, such as identity theft, must also be reported to the individuals concerned.
You are no longer required to register with the Data Protection Commission.
You should ensure you have proper contracts in place with your data processors.
Is it too late to start now? Well, you should have started about two years ago, but it’s never too late to start on your compliance obligations.
GDPR: What individuals need to know
GDPR gives you greater control over your personal data, setting out clearly defined rights and how you may exercise them. Your personal data includes anything that can identify you, including if it may be linked with other information an organisation holds in order to do that.
Typically it includes a name, an ID number, location data, a postal address, an Eircode, your browsing history, images or anything relating to your “physical, physiological, genetic, mental, economic, cultural or social identity”.
Organisations must provide you with information about what they are doing with your data in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”. This is particularly the case for any information addressed specifically to a child. For the purposes of the Irish Data Protection Act, the “digital age of consent”, below which a parent or guardian must give consent for the child’s data to be processed by online services, is 16.
Organisations must obtain your data fairly. They must collect no more data than is necessary for the purposes for which they plan to use it. They may not keep data about you just because it might be “useful” at a later stage. They must retain the data for no longer than is necessary for that specified purpose.
They must keep your data safe and secure, and give you a copy of it if you request it.
Where an organisation is processing your data it must give you certain information about the categories of personal data it is processing, the purposes of the processing, details of the third parties it is being disclosed to, in particular where they are outside the EU.
You have a new “right to data portability” which gives you the right to obtain your personal data in a commonly-used format that may be read by computer, and to move that data to another organisation without hindrance.
You have a right to have inaccurate personal data about you rectified.
You have a “right to be forgotten” or to have your data erased in some cases.
You have a right to seek compensation from an organisation where you suffer material or non-material damage as a result of a breach of the GDPR.
What about all the GDPR “consent” emails? Why are they sending me these?
If an organisation already has your consent to send you marketing emails, it shouldn’t be sending you emails asking for your consent now under GDPR. If they have your consent they may already send you such emails under so-called e-privacy regulations.