The General Data Protection Regulation ("GDPR") will come into effect two years after it is published in the Official Journal of the EU. This means that Irish companies must be in full compliance with the GDPR by 2018. We look at six of the headline issues:
- Data Protection Officer
Organisations whose core activities involve regular and systematic monitoring of individuals on a large scale, or involve processing large quantities of sensitive personal data, must appoint a Data Protection Officer (“DPO”). DPOs must be expert in data protection law and privacy. They must also be able to act independently and report directly to senior management within organisations.
- Increased penalties
For the first time, companies that breach data protection law can face fines calculated with reference to their annual turnover. Companies can be fined up to €20,000,000 or 4% of annual global turnover, whichever is higher.
- Privacy by design
Data controllers must ensure that privacy concerns are a key part of their decision making. The GDPR seeks to ensure that the privacy rights of data subjects are prioritised by data controllers when they make business decisions. Controllers will have to carry out privacy impact assessments for any actions that may pose a high risk for data subjects’ privacy rights.
Data subjects must freely give specific, informed and unambiguous consent to the processing of their data. Where a data controller collects personal data for one specific purpose, the GDPR requires that data subjects give additional consent for each additional processing operation.
The GDPR also gives EU member states discretion to decide what the minimum age will be for data subjects to consent to processing of their personal data.
- Data breaches
If a company suffers a data breach, the GDPR introduces a mandatory obligation to notify the local data protection authority (“DPA”) without delay. Where possible, the GDPR states that companies should notify their local DPA within 72 hours. Where the data breach poses a high risk to the privacy rights of data subjects, affected data subjects must also be notified without undue delay.
- One stop shop
The principle that a company, established in one EU member state, should be subject to supervision by one DPA is endorsed in the GDPR. However, the GDPR introduces a complex ‘consistency mechanism’. This is a formalised consultation process where national DPAs are obliged to consult with other ‘concerned’ DPAs if they are deciding on pan-European issues. A panel of DPAs, the European Data Protection Board, will also be empowered to overrule the decision of a national DPA through a two-thirds vote.
There are many concepts in the GDPR that reflect current law. However, some requirements, like the appointment of a DPO, are new. These requirements will impose new and additional obligations on businesses. The GDPR also leaves a number of issues to the discretion of member states. We can expect further clarifications over the next two years as we move towards 2018.
Irish companies will have to dedicate time and resources to understand how they can comply with the new reality that the GDPR represents.