Cyber and Data Protection
The EU General Data Protection Regulation (“GDPR”) comes into force in exactly 12 months on the 25th May 2018.
The introduction of GDPR will result in a significant overhaul of the existing European Data Protection regime as GDPR will repeal and replace the current Data Protection Directive (94/46/EC), which forms the basis for the current Irish legislative framework, being the Data Protection Acts, 1988 and 2003.
The changes contemplated by GDPR will place significantly more obligations on organisations and give more rights in favour of individuals.
10 key changes to the current Data Protection regime all organisations need to be aware of include:
- Wider territorial scope
Once GDPR becomes law, any organisation, whether established in the EU or not, which process the personal data of data subjects located in the EU, together with data controllers and data processors established in the EU, will be subject to GDPR. This will capture many non-EU businesses providing goods or services to EU citizens, such as online advertisers, not currently caught by the existing data protection regime.
- Tougher sanctions
GDPR significantly increases the current penalties, such that GDPR has some of the highest sanctions for non-compliance. Organisations could potentially be subject to fines of up to €10 million or 2% of worldwide annual turnover, whichever is greater, for serious breaches of GDPR and €20 million or 4% of total worldwide annual turnover, whichever is greater, for very serious breaches.
The Office of the Data Protection Commissioner is granted broad investigative and corrective powers under GDPR, including the power to carry out audits or order a data controller to take a specific course of action.
- More data captured
The definition of personal data is broadened to include information relating to an identified or identifiable natural person. Online identifiers such as IP address, cookies and RFID tags are specifically listed in GDPR as an identifier. GDPR also includes a broader definition of sensitive personal data, now known under GDPR as ‘special categories’ of personal data. This has been expanded to include the processing of genetic data and biometric data, the processing of which is now subject to greater restrictions.
- Data Processors captured
The current regime does not generally regulate data processors engaged by a data controller to process personal data on their behalf. GDPR regulates data processors for the first time and provides that they can be liable for claims taken by individuals and also to sanctions for breaches of GDPR.
- Enhanced rights of individuals
Data Subjects rights have been enhanced to include:
- a reduced time frame to comply with a subject access request and removal of the right to charge a fee;
- a new right to data portability;
- a new right to erasure (“right to be forgotten”); and
- a right to restriction of processing in certain circumstances.
In addition, GDPR makes it easier for individuals to claim compensation against data controllers and data processors, as it provides a new right to sue for non-material damage, such as distress suffered arising from a data privacy breach.
- Data Protection Officers
Under GDPR, it is mandatory for organisations to designate a Data Protection Officer in three instances, namely:
- Public authorities;
- Where the core activities of the controller or processor consist of regular and systematic monitoring of data subjects on a large scale;
- Where the core activities of the data controller or data processor consist of processing on a large scale of special categories of data.
- Higher bar for consent
The threshold for a consent to be valid has been raised by GDPR and will not be valid unless it was freely given, specific, informed and unambiguous. At the time the consent is provided, an individual must also be informed of their right to withdraw that consent at any time for the consent to be validly given in the first place.
- Higher bar for lawful processing
GDPR has also raised the bar in terms of establishing the lawful processing of data, which will make it much harder for organisations to fall within the existing justifications for processing.
- Data breach reporting
GDPR requires a data controller to notify data breaches to the supervisory authority “without undue delay and where feasible, not later than 72 hours”. When a data breach is likely to result in higher risk to the rights and freedoms of individuals, the data controller is also required to notify the affected individuals “without undue delay”.
- Accountability & Records
The theme of accountability pervades GDPR, with organisations to be required to demonstrate compliance with data protection principles. Organisations are required to keep records of processing operations and to perform ‘data protection impact assessments’ for high risk processing.
Organisations must also implement data protection ’by design’ and ‘by default’ which requires taking data protection risks into account throughout the process of designing a new process, product or service, so that data privacy rights are at the forefront.
From a practical perspective, every data controller and data processor will need to carry out an extensive review of their current data in order to carry out a gap analysis against GDPR requirements. Once the gaps are identified, action can be taken to move towards GDPR compliance.