New Data Protection Regulations for the Digital Age
General Data Protection Regulation to be Introduced on 25th May 2018
By Karl O’Connor, Solicitor.
The General Data Protection Regulation (“GDPR“) will come into effect on the 25th of May 2018, which places an onus on Irish Companies and Organisations to implement the Regulations and become compliant with same from the said date.
The storage and usage of Personal Data has significantly changed over the past number of years. The new Regulations to be introduced in Ireland will give people greater control on how their personal data is to be used and it sets out how each organisation and business must handle employee and consumer data. There will be significant fines among other sanctions for non-compliance with the New Regulations and therefore good Data Management for Companies and Oganisations will be vital.
We look at some of the headline issues covered in the New GDPR:
- Data Protection Officer
Organisations whose core activities involve regular and systematic monitoring of individuals on a large scale, or involve processing large quantities of sensitive personal data, must appoint a Data Protection Officer (“DPO”). DPOs must be expert in data protection law and privacy. They must also be able to act independently and report directly to senior management within organisations.
- Increased Penalties
For the first time, companies that breach data protection law can face fines calculated with reference to their annual turnover. Companies can be fined up to €20,000,000 or 4% of annual global turnover, whichever is higher.
- Privacy Rights
Data controllers must ensure that privacy concerns are a key part of their decision making. The GDPR seeks to ensure that the privacy rights of data subjects are prioritised by Data Controllers when they make business decisions. Data Controllers will have to undertake privacy impact assessments for any actions that may pose a high risk for data subjects’ privacy rights.
Where a Data Subject’s consent is relies upon to process their data, the Data Subject must freely give specific, informed and unambiguous consent. Where Data Controllers gather personal data for one specific purpose, the GDPR requires that data subjects give additional consent for each additional processing operation.
Under the GDPR, EU Member States shall have discretion to decide what the minimum age will be for Data Subjects to consent to processing of their personal data, in each Member State.
- Data breaches
Where a company suffers a data breach, the GDPR introduces mandatory obligations to notify the local Data Protection Authority (“DPA”) without delay. Where possible, the GDPR provides, Companies should notify their local DPA within 72 hours. Where the data breach poses a high risk to the privacy rights of Data Subjects, the affected data subjects must also be notified without undue delay.
6. Right to be Forgotten/Data Erasure
The GDPR allows a Data Subject to have the Data Controller erase his personal data. There is particular emphasis on the right of a Data Subject to require erasure of data made when he/she was a child (for eg –a person requiring posts, photos etc on social media posted as a child/teenager to be erase
7. Formalised Consultation Process
The principle that a Company, established in one EU member state, should be subject to supervision by one DPA is endorsed in the GDPR. However, the GDPR introduces a complex ‘consistency mechanism’. This is a formalised consultation process where national DPAs are obliged to consult with other ‘concerned’ DPAs if they are deciding on pan-European issues. A panel of DPAs, the European Data Protection Board, will also be empowered to overrule the decision of a national DPA through a two-thirds vote.
Irish companies will have to dedicate time and resources to understand how they can comply with the new reality that the GDPR represents.
The Data Protection Commissioner has prepared a twelve step guide to help Businesses prepare for GDPR, see www.gdprandyou.ie for further details.
The content of this article is provided for information purposes only and does not constitute legal or other advice. If you require Legal Advice on any Data Protection issue, please contact our offices.