The General Data Protection Regulation (hereinafter GDPR or the “Regulation”) came into force on the 25th of May 2018. The highly anticipated Regulation aimed to clarify and harmonise the law in relation to the processing and controlling of personal data across the European Union. The Regulation has significantly reshaped and strengthened pre-existing data protection principles. The imposition of stringent data protection policies and structures focused around the concepts of transparency and accountability has strengthened the rights of data subjects across the European Union.
The GDPR represents one of the most challenging and evolving areas of law facing businesses today. The risks associated with non-compliance with data protection law have increased dramatically. Our data protection specialists are ideally placed to advise your company on setting up a robust GDPR compliance programme. We provide advice on GDPR preparedness, including the new transparency and information requirements, the expanded rights of data subjects, one-stop shop regulation, international transfers, risk analysis DPIAs, mandatory breach notifications, the new data controller/processor dynamic, increased consent requirements and the penalties under the GDPR.
Aim of the GDPR
The primary aim of the GDPR is to give increased protection to individuals in respect of their personal information but it will also greatly increase the obligations on companies that deal with these individuals’ data. The GDPR significantly increases the obligations on businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
Impact of the GDPR
The GDPR is already having a significant impact on nearly all Irish businesses. Any business that holds information about identifiable natural persons (data subjects) will have to hold that information strictly in compliance with the GDPR. This will apply to customer data, employee data and any other data in respect of individuals held by a business.
This will require nearly all business to put in place appropriate policies and procedures to ensure GDPR compliance. Most of our commercial clients have put in place Privacy Statements on their websites, Data Processing Agreements with any third parties that they share personal data with, internal Privacy Policies for their staff as well as policies around data retention, data breaches, etc. Any business that uses customer contact lists to directly market to customer has to make sure that they have a ‘GDPR’ standard consent from each customer in order to lawfully continue to market to them.
Risks of Non-Compliance
The risks associated with non-compliance with data protection law post 25 May 2018 have increased dramatically. The GDPR provides for maximum fines up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year (whichever is greater). Google, Facebook, Instagram and WhatsApp were hit with privacy complaints within hours of GDPR taking effect.
Preparation for GDPR Compliance
We have set out below the Data Protection Commissioner’s 12 step guide, which sets out practical steps businesses can take to comply with the GDPR. If, having reviewed these steps, you require any assistance in getting your business ‘GDPR ready’, please contact Darragh O’Dea and we would be delighted to assist you.
• Why are you holding it?
• How did you obtain it?
• Why was it originally gathered?
• How long will you retain it?
• How secure is it, both in terms of encryption and accessibility?
• Do you ever share it with third parties and on what basis might you do so?
This is the first step towards compliance with the GDPR’s accountability principle, which requires organisations to demonstrate (and, in most cases, document) the ways in which they comply with data protection principles when transacting business. The inventory will also enable organisations to amend incorrect data or track third-party disclosures in the future, which is something that they may be required to do.
Before gathering any personal data, the GDPR requires that you notify your customers of your identity, your reasons for gathering the data, the use(s) it will be put to, who it will be disclosed to, and if it’s going to be transferred outside the EU. Additional information must also be communicated to individuals in advance of processing, such as the legal basis for processing the data, retention periods, the right of complaint where customers are unhappy with your implementation of any of these criteria, whether their data will be subject to automated decision making and their individual rights under the GDPR. The GDPR also requires that the information be provided in concise, easy to understand and clear language. This is usually done by the company putting a Privacy Statement on its website.
Rights for individuals under the GDPR include the right:
• to request a copy of all of their personal data from a company within 30 days.
• to have inaccuracies corrected
• to have information erased
• to object to direct marketing
• to restrict the processing of their information, including automated decision-making
• data portability
Review your current procedures. How would your organisation react if it received a request from a data subject wishing to exercise their rights under the GDPR?
• How long to locate (and correct or delete) the data from all locations where it is stored?
• Who will make the decisions about deletion?
• Can your systems respond to the data portability provision of the GDPR, if applicable where you have to provide the data electronically and in a commonly used format?
The rules for dealing with subject access requests have changed under the GDPR. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also shorten, dropping significantly from the current 40 day period. Organisations will have some grounds for refusing to grant an access request. Where a request is deemed manifestly unfounded or excessive, it can be refused. However, organisations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected. If your organisation handles a large number of access requests, the impact of the changes could be considerable. The logistical implications of having to deal with requests in a shorter timeframe and provide additional information will need to be factored into future planning for organisations. It could ultimately save your organisation a great deal of administrative cost if you can develop systems that allow people to access their information easily online.
For government departments and agencies, there has been a significant reduction in the number of legal bases they may rely on when processing data. It will no longer be possible to cite legitimate interests. Instead, there will be a general necessity to have specific legislative provisions underpinning one or more of the methods organisations use to process data. All organisations need to carefully consider how much personal data they gather, and why. If any categories can be discontinued, do so. For the data that remains, consider whether it needs to be kept in its raw format, and how quickly you can begin the process of anonymisation and pseudonymisation.
If consent is the legal basis relied upon to process personal data, you must make sure it will meet the standards required by the GDPR. If it does not, then you should amend your consent mechanisms or find an alternative legal basis. Note that consent has to be verifiable, that individuals must be informed in advance of their right to withdraw consent and that individuals generally have stronger rights where you rely on consent to process their data. The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.
The GDPR introduced special protections for children’s data, particularly in the context of social media and commercial internet services. The state has defined the age up to which an organisation must obtain consent from a guardian before processing a child’s data as thirteen (13) years old. It should be noted that consent needs to be verifiable, and therefore communicated to your underage customers in language they can understand.
Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, data controllers will be required to consult the DPC before engaging in the process. Organisations should now start to assess whether future projects will require a DPIA and, if the project calls for a DPIA, consider:
• Who will do it?
• Who else needs to be involved?
• Will the process be run centrally or locally?
It has always been good practice to adopt privacy by design as a default approach; privacy by design and the minimisation of data have always been implicit requirements of the data protection principles. However, the GDPR enshrines both the principle of ‘privacy by design’ and the principle of ‘privacy by default’ in law. This means that service settings must be automatically privacy friendly, and requires that the development of services and products takes account of privacy considerations from the outset.
Some organisations are already required to notify the DPC when they incur a personal data breach. However, the GDPR will bring in mandatory breach notifications, which will be new to many organisations. All breaches must be reported to the DPC, typically within 72 hours, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. Now is the time to assess the types of data you hold and document which ones which fall within the notification requirement in the event of a breach. Larger organisations will need to develop policies and procedures for managing data breaches, both at central or local level.
It is worth noting that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
The OSS will allow your organisation to deal with a single lead supervisory authority (LSA) for most of your processing activities. Your LSA will be the supervisory authority of the country in which you have your main establishment.
For the OSS to apply to your organisation, you must be engaged in cross-border processing and be established in the European Union.
The way you will identify your main establishment depends on whether you are a data controller or a data processor, but in general it will be helpful for you to map out where your organisation makes its decisions about data processing.
This Document is solely for guidance purposes only and does not in any way whatsoever constitute specific legal advice.