07 September 2016
The long-awaited EU General Data Protection Regulation (GDPR) entered into force on 24 May 2016 and, following a two year transition period, will apply from 25 May 2018. Described as the most ground-breaking piece of EU legislation in the digital era, the GDPR aims to make businesses more accountable for data privacy compliance and offers citizens extra rights and more control over their personal data. The new rules will have significant impacts for all organisations. Some key requirements include:
Any organisation, whether established in the EU or not, processing the personal data of data subjects located in the EU, and data controllers and processors established in the EU, will be subject to the GDPR. This will catch non-EU businesses with websites directed at the EU, such as online advertisers and e-commerce businesses.
DPIAs will be mandatory in respect of any project where ‘high-risk’ data processing is envisaged, including profiling, large scale processing of special (sensitive) categories of personal data or large scale processing of public areas.
In addition to the requirement for consent to be specific, informed and freely given, under the GDPR it must also be unambiguous requiring some form of statement or clear affirmative action to be obtained from the individual. This is likely to make it more difficult for consent to be relied on as a legal basis for data collection.
Breaches must be notified to the Supervisory Authority within 72 hours, unless the breach is unlikely to result in a risk to rights and freedoms of individuals. Where this risk is high, affected data subjects must also be notified without undue delay.
The GDPR imposes increased obligations on processors and makes them liable for breaches when acting outside the instructions of controllers. More detailed contract terms and flow down terms for sub-processors are required.
Detailed records of processing activities must be kept by processors and controllers and must be made available for inspection by the Supervisory Authority. A limited exemption applies to SMEs that fulfil certain criteria.
Data subject rights have been supplemented to now include:
The practical implementation of the new rights (in particular, data portability) is likely to represent significant operational and technical challenges for organisations.
The theme of privacy by design permeates the GDPR, with the objective being for businesses to design products and services with the privacy rights of individuals at the forefront. Businesses will be required to implement privacy from the outset of any project impacting on personal information.
A DPO must be appointed by all public bodies and by businesses where core activities involve:
There is a limited exemption available for certain categories of SMEs.
The GDPR significantly increases the scope and nature of administrative fines for non-compliance, with the effect that failure to address data protection compliance obligations could prove very costly, in financial terms, for businesses. Organisations will be potentially subject to fines of up to:
In addition, and for the first time under Irish law, data subjects will have a right to sue for non-material damage in addition to material damage arising from data privacy breaches.
The GDPR will have a significant impact for all organisations doing business in Ireland and the EU. With the transition period now underway, it is vital for organisations and compliance officers to begin preparing for what will be the biggest change to data protection laws in over 20 years.