The General Data Protection Regulation (“GDPR”) was published in the Official Journal of the European Union on 4 May 2016. It will enter into force on 24 May 2016, and apply from 25 May 2018. The GDPR will replace the current European Data Protection Directive (95/46/EC), which dates back to 1995.
The GDPR is in the form of a regulation, which means that it will be directly applicable in all EU Member States without the need for further implementing legislation (although Member States will have discretion around the implementation of certain requirements). However, the GDPR does provide for a two year transition period before its provisions will apply, so organisations will have until May 2018 to “get their houses in order”, so to speak, in readiness for the GDPR.
The GPDR has been drafted with the aim of ensuring that a single, uniform set of data protection rules apply across the EU. Although many of its provisions are broadly similar to those contained in the existing data protection framework, there are a number of new and onerous requirements. As such, organisations would be advised to review their existing data protection policies, procedures and controls, and identify any gaps that will need to be addressed. It will be particularly important for companies to ensure that they are compliant on the effective date given the potential penalties under the GDPR regime, which include fines of up to 4% of the annual worldwide turnover of the non-compliant company or €20 million (whichever is the greater). The changes to current Irish data protection law will include the following:
- Data Breaches: It will be mandatory to notify security breaches to the Data Protection Commissioner (“DPC”) within 72 hours, where feasible (unless the breach is unlikely to result in a risk to data subjects). This replaces the current non-binding code of practice, which recommends notification within 48 hours in certain circumstances (save in the case of telcos and ISPs, who are subject to mandatory notification requirements). In addition, it will be mandatory to notify affected data subjects “without undue delay” where there is a high risk to data subjects arising from the breach.
- Internal Compliance Policies: The current obligation on certain entities to register with the Data Protection Commissioner will no longer apply, and will be replaced with an obligation to adopt internal policies which demonstrate compliance with data protection laws. In addition, an impact assessment will need to be carried out before engaging in certain personal data processing activities.
- Rights of Erasure: The so called “right to be forgotten” strengthens the pre-existing rights of data subjects to require erasure of their personal data, with a particular emphasis on the right of a data subject to require erasure of data made available when he/she was still a child.
- Data Protection Officer: Various entities (including all public authorities) will be required to appoint a data protection officer to oversee compliance with the GDPR.
Organisations should begin now to review their internal procedures and controls in light of the impending changes under the GDPR, and consider what amendments to such procedures will be required, and what other measures should be taken, such as implementing internal training and awareness programmes, to ensure that they are GDPR ready.