The General Data Protection Regulation (GDPR), will replace existing data protection law in Ireland from 25 May 2018.
Why is the GDPR relevant?
The GDPR primarily applies to companies that are established in Europe and which process personal data in the context of those establishments. Types of personal data that are likely to be processed routinely include:
- Employee personal data – Any company that has employees will collect personal data in relation to those employees in the context of the employment relationship (e.g. CVs, contracts of employment, performance reviews and records of sick leave).
- Director personal data – Where a company does not have employees but does have non-executive directors, it is likely that such company will collect an amount of personal data in respect of such directors.
- AML/KYC data – Undertaking appropriate AML and KYC processes is a key part of many transactions. This will include gathering personal data in relation to legal owners, beneficial owners, and key employees.
- Shareholder data – Depending on the structure of the company, it is possible that it would hold personal data in respect of its shareholders.
Key changes under the GDPR
The principles of data protection law under the GDPR are broadly similar to those which exist under current data protection law, such that the GDPR is in many ways an evolution of current data protection law requirements. However, there are areas where the changes that have been introduced could rightly be regarded as revolutionary, these include:
- Fines – Perhaps the most radical feature of the GDPR is the introduction of potentially severe administrative fines for non-compliance. The GDPR empowers national data protection supervisory authorities to issue fines of up to 4% of the annual worldwide turnover of the non-compliant company or €20 million (whichever is the greater).
- Demonstrating compliance – One of the most novel features of the GDPR is that it imposes an obligation on companies to be able to demonstrate their compliance with the obligations under the GDPR. This includes keeping records of all processing activities carried out and updating internal policies to demonstrate compliance with obligations under GDPR (e.g. a policy outlining how the controller deals with data subject requests).
- Data protection officers – Certain companies will be obliged to appoint a data protection officer to oversee compliance with the GDPR. Where a company is required to appoint a data protection officer, the data protection officer must have certain designated functions, and they are given a form of protected employment status. It is also possible to appoint an external data protection officer on an outsourced basis.
Five key steps to compliance with the GDPR
In order to ensure compliance with the GDPR by 25 May 2018, companies should take the following key steps:
- Gathering information and gap analysis – In order to undertake a GDPR compliance project it is essential to first gather information in relation to a company’s current processing of personal data, including details of how personal data is collected, how it is processed and what third parties have access to that data. It is also important to gather copies of any current data protection policies and procedures, so that they can be reviewed for data protection compliance.
- Drafting a data protection policy – As mentioned above, being able to demonstrate compliance with the GDPR is a key requirement of the new law. A key part of this will be to draft a data protection policy that sets out how the company will comply with its obligations, and the records that it will keep to monitor compliance.
- Data protection notices – All data protection notices that are in use within a company will need to be updated to comply with the additional requirements under the GDPR. If the company has identified that it requires additional data protection notices as part of its gap analysis, these will need to be drafted and provided to the relevant data subjects.
- Contracts with data processors – Where a company engages a third party service provider to process personal data on its behalf, that third party is regarded as a processor. The GDPR requires companies to update their contracts with their processors to include detailed specific obligations. Companies will therefore need to engage with their processors to ensure that amendment agreements or data processing agreements are put in place prior to 25 May 2018.
- Implementation and training – A key part of all GDPR projects will be implementing the data protection policy and related procedures to ensure on-going compliance. This is likely to involve specific training for staff who are responsible for handling personal data, and general awareness training for other staff members.