On 25 May 2018, the General Data Protection Regulation (the GDPR) will become law across all member states within the European Union.
It has been widely described as a “game-changer” as it overhauls the manner in which all businesses and organisations handle personal data. Significant penalties can be imposed for breaches so doing nothing is not an option.
What is the GDPR?
Its full title is “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”, otherwise commonly known as the “General Data Protection Regulation” or the “GDPR”.
Why is the GDPR so important?
The GDPR will overhaul the data protection legal framework in Europe when it comes into effect on 25 May 2018 and Irish businesses must be fully compliant by that date.
The GDPR will apply a single set of rules that are valid across all EU Member States. As it is a Regulation, this means that it will be immediately enforceable in Ireland (and other Member States) without the need for domestic legislation. This should decrease the level of national variation but there will not be complete European wide uniformity as the GDPR has left discretion to Member States in a number of areas.
The GDPR emphasises transparency, security and accountability on the part of businesses (irrespective of their size) that collect and process personal data, while standardising and strengthening the rights of EU citizens. It will greatly increase obligations on businesses as well as giving data protection authorities more robust powers to tackle non-compliance including the imposition of significant financial penalties.
Compliance with the GDPR will place a greater administration and compliance burden on businesses. However, preparation is the key to a smooth transition to the new data protection standards. The sooner preparations commence, the easier it will be for businesses to transition to the new standards.
Re-cap of Data Protection rules
Data protection protects the privacy rights of individuals by placing responsibilities on businesses that process personal data. Businesses must adhere to the key data protection principles summarised below and must show that the processing of the data is necessary for a particular purpose(s), known as a “lawful basis”, eg to perform a contract with the data subject or to comply with a legal obligation to which the business is subject. Businesses processing data must:
- Obtain and process personal data fairly
- Keep personal data only for one or more specified and lawful purposes
- Process personal data only in ways compatible with the purposes for which it was given to the business initially
- Keep personal data safe and secure
- Keep personal data accurate and up-to-date
- Ensure that personal data is adequate, relevant and not excessive
- Retain personal data no longer than is necessary for the specified purpose or purposes
- Give a copy of his / her personal data to any individual, on request
The GDPR builds on the above principles. However, it goes further, for example, by increasing standards and sanctions as well as introducing the principles of accountability (eg business must be able to demonstrate compliance with the GDPR) and transparency (eg any information / communication provided by businesses relating to the processing of personal data must be easily accessible, easy to understand and be in clear and plain language). The GDPR also amends and restates the permitted lawful bases for processing data.
The Data Protection Commissioner enforces data protection law in Ireland. The Government has however indicated its intention to replace the Commissioner with a “Data Protection Commission” which will be the “supervisory authority” under the GDPR (commonly known as the “data protection authority”) who will monitor the application of and enforcement of the GDPR.
- It has extra-territorial effect which means that it will apply to controllers and processors based outside the EU
- Requirement to appoint a Data Protection Officer in certain circumstances
- Stricter requirements for valid consent to data processing
- Enhanced rights for individuals
- Reduced time period for dealing with individual’s rights
- Obliging businesses to be clearer about how they use personal data
- Mandatory Data Protection Impact Assessments in certain circumstances
- Notification of data breaches within 72 hours of occurrence
- Data protection by design and default
- Right to Compensation for individuals
- New obligations for processors
- Increased penalties for non-compliance
- Ability to appoint a Lead Supervisory Authority
We look at these key provisions in more detail in our article here.
GDPR jargon buster