24 October 2018
Now more than three months since the coming into force of the General Data Protection Regulation (GDPR), we are seeing how it is operating in practice. Organisations are dealing with an increase of queries from individuals concerning the processing of their personal data, while the Data Protection Commission (DPC) received 1,184 data breach notifications in the two months following the introduction of the GDPR.
The GDPR has introduced and expanded upon a number of rights for individuals to enable them to understand how their data are processed and shared. The GDPR is designed to give individuals more control over their personal data. As well as a right of access, in certain circumstances, individuals now have an explicit right to have their data deleted. This has led to companies coping with requests from individuals wishing to exercise this and related rights under the GDPR. Other rights include the right to rectification and the right to data portability.
Technology companies, retailers, banks and media groups appear to be among those most affected by requests and complaints due to the large amounts of information typically held by them. After an initial flurry of requests made after 25 May 2018 (when the GDPR came into force), some companies surveyed say they are still processing a number of these requests.
Under the GDPR, there is no particular format for making these requests and therefore companies need to be vigilant in identifying requests and be ready to comply within the applicable timeframe (one month). However, this may be extended in certain limited circumstances.
As soon as organisations become aware that a personal data breach has occurred, they must notify it to the relevant regulator (the DPC in this jurisdiction) ‘without undue delay’ and, where feasible, not later than 72 hours after having become aware of the breach. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification. Information may however be provided in phases to the DPC as it becomes available, and the extent of the breach becomes clearer or more information is discovered about the breach. There is one exception to the notification requirement and a data breach does not have to be notified to the DPC if the organisation is able to show that the personal data breach is ‘unlikely to result in a risk to the rights and freedoms’ of the affected data subjects.
Ireland's DPC received 1,184 data breach notifications in the two months following the introduction of the GDPR. The UK's ICO received 6,281 data protection complaints since the rules were introduced.
It is clear from the high increase in the number of requests that individuals are increasingly aware of their rights and protective of their personal data. For businesses, the GDPR is proving to be a challenge but can also be seen as a competitive advantage for those that find clever ways to assure customers that they are respecting their new rights under the Regulation.