The General Data Protection Regulation (“GDPR”), which came into force on 24 May 2016 and will apply from 6 May 2018, intends to strengthen and unify data protection for individuals within the EU.
It is in the form of a Regulation which means that it is directly applicable in all EU Member States without the need for further legislation to be implemented within the Member State. Member States will, however, have discretion around the implementation of certain requirements.
Implications of the GDPR for Irish Companies
While the GDPR does not apply until mid 2018, it is essential that Irish companies start planning their approach to GDPR compliance as early as possible. Companies may need to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large business this could have significant budgetary, IT, personnel, governance and communications implications.
Four key points companies should address are as follows:
All decision makers and key people in your organisation must be aware that the law is changing with the introduction of the GDPR. The introduction of the GDPR will have major resource implications, especially for larger organisations. Companies should particularly use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming.
2. Legal basis for processing personal data
Under the GDPR, some individuals’ rights will be modified depending on the basis for processing their personal data. It is important that you review the various types of data processing you carry out. The introduction of the GDPR gives people a stronger right to have their data deleted where you use consent as your legal basis for processing.
3. Communicating privacy information
It would be advisable to review your current privacy notices and policies and put a plan in place for making any necessary changes in time for GDPR implementation. Under the GDPR you will need to explain your legal basis for processing the data and your data retention periods. In addition, you will need to have the capability to deal with complaints, as under the GDPR, individuals have a right to complain if they think there is a problem with the way you are handling their data.
4. Penalties for Offences under the GDPR
The GDPR has increased fines for both data controllers and data processors who are prosecuted for data protection breaches. The GDPR introduces a two-tier structure for sanctions, with a potential for fines of up to €20,000,000 or 4% of the annual worldwide turnover of the non-compliant company, whichever is greater. The GDPR notes that national law should prescribe a system of “effective, proportionate and dissuasive” penalties, whether these be criminal or administrative. As a result, it is open to national legislators to introduce implementing legislation which will serve to broaden the scope of the sanctions regime in the GDPR.
It is clear that the GDPR leaves a great deal for companies to consider in the lead up to its implementation. The developments with ‘Brexit’ will need to be monitored in terms of what data protection rules will ultimately end up applying to companies with operations in the UK. Whilst there is business uncertainty as to whether there will be divergence in data protection standards post-Brexit between the UK and the rest of Europe, Ireland will retain the EU standards. These factors will need to be considered in terms of warehousing data and compliance between jurisdictions.
In order to help you and your organisation prepare for and navigate through the GDPR, we will be publishing a series of briefings and hosting information seminars during the lead-in period. More details will follow shortly.