The long-awaited General Data Protection Regulation is now set to be implemented on the 25th of May 2018 across the European Union. The GDPR shall replace the existing Data Protection Directive 95/46/EC which has been in place since 1995 and will have a significant impact on all organisations doing business in Ireland and the EU. The aim of the aforementioned Regulation is to harmonise data protection across Europe and to make businesses more accountable for data privacy compliance. The GDPR will apply to both data controllers and data processors.
The implementation of the GDPR introduces new elements and significant enhancements to the European Data Protection law which will require detailed consideration by all organisations involved in processing personal data as there will be significant financial penalties for non-compliance.
Some of the key changes introduced are as follows:-
There will be much stronger rules on consent. The GDPR will require a data subject’s consent to the processing of their personal data to be freely given, specific, informed and unambiguous. Reliance on silence, inactivity, or pre-ticked boxes will no longer be sufficient to constitute consent. It is also the case that data subjects will be permitted to withdraw their consent at any time.
Broader Definition of Personal Data
The definition of ‘personal data’ is now broadened to include online identifiers, location data, and IP addresses. Also, the term ‘sensitive personal data’ has been broadened to include genetic and biometric data.
Reporting of Data Breaches
The GDPR will bring in mandatory breach notifications. All breaches must be reported to the local data protection authority unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Appointment of a Data Protection Officer
In certain circumstances and organisations there will be a duty to appoint a Data Protection Officer (“DPO”). The DPO must be expert in data protection law and privacy.
Privacy by Design
This is to say that privacy must be built into systems at the design stage with the privacy rights of individuals at the forefront. Organisations will be required to implement privacy from the outset of any project impacting on personal information.
The GDPR significantly increases the administrative fines for non-compliance, with the effect that failure to address data protection compliance obligations could prove very costly for companies. Companies can face fines of up to €20 million or 4% of global turnover for non-compliance, whichever amounts to a higher figure.
The GDPR will have a significant impact on all companies doing business in Ireland and the EU. It is evident, therefore, that Irish companies will have to analyse and review the GDPR in great detail in order to understand how they can comply with the requirements therein.
Purdy Fitzgerald Solicitors