Have you heard about the GDPR (General Data Protection Regulation)?
Do you know the changes it will bring to data protection law in Ireland?
Do you know when it is to come into effect here?
These questions, and similar foundational ones, are what I am about to look at.
The “big bang” date for the this Regulation to come into effect in Ireland will be 25th May, 2018. As EU regulations have direct effect in Irish law, it will not require any act of transposition or formal introduction into Irish law.
The effect of the GDPR will be to replace the existing data protection framework in Ireland. If you are data controller, and you currently have obligations under data protection law, you will need to know what new obligations the GDPR will have for you and your organisation or business.
At its core it strengthens the rights of EU citizens to data privacy and central to this is the three principles of
You will note that these are the principles inherent in the current data protection regime in Ireland, pursuant to the Data Protection Act 1988 and Data Protection (Amendment) Act, 2003. It will be a relief to discover that if you are in line with current legislation you will be broadly covered for the new regime.
However, there is some new elements being introduced by GDPR which you need to be aware of. The Office of the Data Protection Commissioner has suggested a 12 step approach to the new regime. Those 12 steps are:
1. Becoming aware
Key personnel need to be aware the law is changing in this area from 25th May, 2018.
2. Become accountable.
Gather up your existing personal data and review it under the following headings
- Why are you holding it?
- How did you obtain it?
- Why was it gathered?
- How long will you retain it?
- How secure is it?
- Do you share it with 3rd parties? If so, on what basis?
This will cover the accountability principle mentioned at number 2 above.
3. Communicate with staff and service users
This involves lettering your staff or service users know about the collection of their personal data.
Under GDPR new obligations include:
- Providing information about the legal basis for processing the data
- Retention periods
- Complaint procedures
- Their individual rights under GDPR
- Whether the data will be subject to automated decision making.
4. Personal Privacy Rights
Generally, the rights afforded to individuals will be similar to what they currently enjoy eg to have inaccuracies corrected, to have data deleted, to object to direct marketing.
You will also need to consider how you will provide data electronically if requested by the data subject. You will need to consider,too, how long it will take to locate the data and who will make decisions about deletion of data.
5. How will access requests change
The GDPR will change the timescale for responding to data protection requests to one month so you need to review how you will deal with this faster timescale.
It will be less likely that you will be able to charge for such requests and the ground for refusal will need to be founded in well documented policies and procedures for refusal.
You will also need to provide additional information to data subjects such as information about the data retention periods and having inaccurate data amended.
6. The legal basis
You will have to explain your legal basis for processing personal data and data subjections will have stronger grounds for having their data deleted and the legal bases for processing data will be reduced significantly.
If customer consent is the only justification for processing data the data subject will be in a stronger position to request that it be deleted.
7. Customer consent as a ground to process data
Consent must be ‘freely given, specific, informed and unambiguous’ in relation to customer consent. The customer must not be duped or forced into giving the information. They must also know what exactly they are consenting to and requires a positive action of approval; it cannot be inferred be silence or a failure to take action eg tick a box to opt out.
Subjects also need to be told of their right to withdraw consent. You need to be able to show how consent was obtained, and have a record of it. Generally, where consent is relied upon, the data subject has stronger rights in relation to their personal data.
8. Processing children’s data
If you must gather children’s data you need to be careful about being able to verify the age of the child and obtain the consent of the guardian.
Special protections in respect of children’s data will be introduced, especially in relation to social media use and commercial internet services.
9. Reporting data breaches
You must ensure you have sound procedures in place to detect, report and investigate any data protection breach. The GDPR will introduce mandatory data breach reporting obligations to the Data Protection Commissioner.
Failure to report a breach will result in a fine in addition to the fine for the breach and breaches will typically have to be reported within 72 hours.
10. Data protection impact assessments (DPIA)
This involves the systematic consideration of how a particular initiative will impact on the privacy of individuals. This assessment may involve discussions with groups and stakeholders.
If this assessment leads the organiser to believe that the risks to personal data cannot be mitigated fully it may be necessary to contact the Data Protection Commissioner before starting the process of gathering data.
If a project requires a DPIA you will need to consider
- Who carries it out?
- Who needs to be involved?
- Will it be run locally or centrally?
The whole thrust of the DPIA is to identify potential problems with an initiative involving the gathering of personal data and look at ways to mitigate those issues.
11. Data protection officers
Some organisations will need to designantt a DPO (data protection officer) under the GDPR regime. Such organisations would include public bodies, large organisations, and so forth but you need to consider whether you need a data protection office in your organisation.
He/she will need to be conversant with GDPR and its obligations. You may appoint an external advisor to this role, if there is nobody suitable or qualified in your organisation.
12. GDPR and international organisations
For organisations which have operations in many EU states you will be entitled to deal with one data protection authority, a Lead Supervisory Authority (LSA) as your single regulating body in the country where you are mainly established.
This will generally be determined as the country where the main administration of the organisation is carried out.
If you are currently in compliance with existing data protection legislation in Ireland you will be in good shape to deal with the new situation after 25th May, 2018. However, even though you will be playing a similar game it will be more akin to being in the Premier league than division 3 or 4.