By Kirby Tarrant – O’Grady Solicitors and TAB Member
The GDPR applies to all organisations, regardless of size so it includes small and medium enterprises and associations.
There is existing Data Protection Legislation pursuant to the Data Protection Acts 1988 and 2003 however, the new Data Privacy regime is expected to result in enhanced transparency, accountability, and protection of individuals rights.
What Benefits will GDPR bring?
The GDPR will bring the following benefits: –
- It will give individuals residing in the EU more control over their Personal Data i.e. (“any information relating to a living identified or identifiable natural person”);
- It will make it easier for businesses to do business across the EU;
- It will give consumers confidence that their Personal Data will be respected and controlled.
What will GDPR mean for Data Controllers and Data Processors?
The GDPR will bring accountability to Data Controllers and Data Processors. A Data Controller is defined as a person/company/other body, who either alone or with others, controls the contents and use of Personal Data. A Data Processor is defined as a person/company/other body, who processes Personal Data on behalf of a Data Controller but does not include an employee of the Data Controller who processes such data during his/her employment.
What should organisations ask themselves about Personal Data?
Organisations should ask themselves the following questions in relation to Personal Data that they hold: –
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties, and, if so, on what basis?
- Establish whether consent for processing Personal Data was “freely given”?
What should you do to prepare for GDPR?
As a business you should consider doing the following: –
- Carry out staff awareness training – anyone handling client/customer/employee data is impacted;
- Check all contracts, letters of engagement and website with GDPR in mind;
- Review your policies and procedures for the storing and handling of confidential client/customer data and Privacy Notices;
- Employers should review all Personal Data held to ascertain why/how it was obtained, why it continues to be held and for how long, how secure it is and whether it is ever shared with third parties and on what basis etc.
- Consider whether you need to obtain consent to hold Personal Data on employees in a separate document rather than within their employment contract;
- Audit your IT systems for compliance and risk to Personal Data;
- Consider if you need to assign a Data Protection Officer – part time or full time.
- If you use customer consent to record data – are you managing that process properly?
- How will you manage Data Access requests from people seeking to access, delete or amend their data?
- If there is a data breach, how will you deal with that and make sure your staff can also?
- Put an incident response plan in place.
What should you do if there is a Data Breach?
The GDPR introduces a mandatory 72-hour breach notification requirement. All breaches must be reported to the Data Protection Commissioner and to the affected individuals. Failure to report a breach when required to do so could result in a fine, in addition to a fine for the breach itself.
What are the consequences if you fail to comply with GDPR?
There are consequences if businesses fail to comply with the GDPR: –
- For serious infringements, penalties up to €20,000,000 (or 4% of total annual global turnover, whichever is the higher);
- GDPR now makes it much easier for individuals to bring private legal action if their data privacy has been breached;
- It also allows individuals to sue for compensation if they have suffered non-material damage.