The GDPR is here.
New improved Data Protection. Get ready now or pay the price later
The General Data Protection Regulation (GDPR) has become law throughout the EU on the 25th May 2018. It represents a major overhaul of data protection regulations in Europe. It has replaced all data protection regulations which were current at that time. In Ireland our previous data protection legislation was embodied in the Data Protection Act 1988 as amended by the Data Protection (Amendment) Act 2003.
What businesses are covered?
Any business which is involved in processing the personal data of an EU data subject is affected by the regulations. It does not matter where that business is located. If it is processing the personal data of an EU data subject ( a natural person residing in the EU) then it must implement thr regulations.
What constitutes personal data?
The definition is very broad. It covers any information relating to a natural person (data subject) which can be utilised to identify that person, either directly or indirectly. As well as the usual suspects, such as name, address etc, this could also include a computer IP address or similar data.
What is the difference between “explicit” and “ unambiguous” data subject consent ?
The requirements for consent have been strengthened. You can no longer bury the request in the middle of long paragraphs reciting all of your terms and conditions in obscure legal language. Consent must be clear and distinguishable from other matters using plain language. The data subject must be able to withdraw consent as easily as it gave it.
Explicit consent must be given in relation to sensitive data.
Unambiguous consent is sufficient for non sensitive data.
What rights does an EU data subject have under GDPR ?
The right to be notified. Notification of a breach will become mandatory where it is likely to “ result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of becoming aware of the breach.
The right to obtain confirmation as to whether or not personal data concerning them is being processed. The data controller is obliged to provide an electronic copy of the data free of charge.
The right to be forgotten. A Data subject can request the deletion and discontinued use of their data, when certain conditions are met, e.g. the data is no longer relevant to the original purpose, or consent has been withdrawn.
The right to receive the data in a commonly used and machine readable format.
Privacy by design
This call for the implementation of data protection from the outset. It must be incorporated in all aspects of the organisation’s procedures and systems. It must minimise the data needed and also restrict access to those authorised to use it.
I already have strong data protection compliance procedures. Do I still need to make changes?
For those businesses who already have robust data compliance procedures in place, the change over should not prove difficult. It is important that you carry out a complete review of your data protection measures in the light of the new regulations, to ensure that you are not in breach of any of the new General Data Protection Regulation regime requirements. Administrative fines of up to €20,000.00 ( or 4% of total annual global turnover, whichever is the greater) can be imposed for non compliance.
I have a number of employees working from home as a result of Covid-19 restrictions. How can I make them aware of their obligations to protect data when working from home?
Consider booking our course " Protecting Data when Working from Home" It makes the employee aware of the risks to data when working from home. It is an online course with continuous assessment and a certificate of completion. Being online it complies with the Covid-19 restrictions on social distancing. By booking a course for each employee, you can help reduce the risk of a data breach occurring when the employee is working from home in a new environment. There are quizzes and questionaires to test the employees knowledge and comprehension of the topic. It helps you as an employer to discharge your responsibility to train your employees in GDPR compliance.
See also article on Remote Workers/Home workers here
Do I need to appoint a Data Protection Officer (DPO)?
Most businesses do not have to appoint a DPO. The exceptions are (i) public authorities (ii) organisations that engage in large scale systematic monitoring or (iii) organisations that engage in large scale processing of sensitive personal data. (Art 37) . If your business does not fit any of these categories, then you do not have to appoint a DPO. For more on appointing a DPO see
I have lots of time between now and 25th May 2018, I’ll start in April 2018
There is quite a lot of work involved in checking and changing all of your policies and procedures to ensure that they comply with the new regulations. You should start now and get the job done. Putting it off only increases the pressure and the risk of not getting it completed in time.
Where can I get more information?
The office of the Data Protection Commissioner has produced a handy checklist, which is a very useful starting point for Irish businesses who wish to be fully compliant with the new requirements by 2018.
You can download a copy.
Download The GDPR and You here ;
Download The General Data Protection Regulation (2016/679) here ;
Download A Guide to help SME's prepare for the GDPR here ;
Download A GDPR Checklist for SME's here ;
I don’t have the time to carry out a review, can I get help with this task?
Yes. Contact us and we would be happy to help. We will contact you to discuss your needs. We will then agree what has to be done, the timeframe for achieving it and the cost. Just click on the blue contact us button.
Spread the knowledge. If you found this article useful, please like and share using any of the social buttons below.
Image courtesy Blogtrepreneur Some modification (banner)