Edited and prepared by Oscar Michel, Masters in Journalism, DCU.
Great guest post from the Mason Hayes & Curran team. The authors of the article are Philip Nolan, Mark Adair and Jevan Neilan. Mark Adair has written articles for Irish Tech News previously. View here.
The General Data Protection Regulation (GDPR) is the new EU-wide data protection law which comes into force on 25 May 2018 and replaces current rules. With a large number of businesses processing personal data on a daily basis, organisations have limited time to ensure they understand the new regulation and take appropriate steps to comply with it.
Why is it Important?
The GDPR represents the future of data protection regulation in the EU. The GDPR builds on familiar concepts and rules but, in many ways, it goes further. It has a wider scope, standards have been raised, and sanctions are significantly higher. It will capture both information and organisations which have fallen outside the realm of existing EU data protection laws.
Organisations must adapt processes and technology to minimise risk and avoid significant fines. In particular, the introduction of the accountability principle means that organisations must focus on their internal compliance, including record-keeping, and, for some, appoint a data protection officer (DPO).
Key Areas for Consideration
Definition of Personal and Sensitive Data
The GDPR refines the definitions of personal data and sensitive data. Personal data is any information relating to an identified or identifiable person and now extends to online identifiers such as IP addresses and cookies.
The definition of sensitive data which is data revealing, amongst others, racial or ethnic origin, political opinions, religious beliefs, data concerning health or a person’s sexual orientation, is now expanded to include genetic and biometric data. More onerous conditions must be satisfied to permit the processing of sensitive personal data.
Data Protection Officer
Organisations whose core activities involve regular and systematic monitoring of individuals on a large scale, or involve processing large quantities of sensitive personal data, must appoint a DPO. DPOs must be expert in data protection law and privacy. They must also be able to act independently and report directly to senior management within organisations.
Accountability is a new concept introduced by the GDPR. It requires controllers to be able to demonstrate how they comply with the data protection principles. This is significant, as it shifts the burden of proof to the controller in the event of an investigation by a data protection authority (DPA).
If you rely on a data subject’s consent to process their data, they must freely give specific, informed and unambiguous consent. Where a data controller collects personal data for one specific purpose, the GDPR requires that data subjects give additional consent for each additional processing operation. The GDPR also gives EU Member States discretion to decide the minimum age data subjects to consent to processing of their personal data. This allows the Irish Government to lower the age of consent from 16 to 13.
Privacy by design
Data controllers must ensure that privacy concerns are a key part of their decision- making. Privacy by Design requires organisations to consider privacy measures during product design processes, while Privacy by Default requires controllers to ensure that, by default, only necessary data is processed. Also, controllers will have to carry out data protection impact assessments for any actions that may pose a high risk to data subjects’ privacy rights.
If a controller suffers a data breach, the GDPR introduces a mandatory obligation to notify the local DPA without delay. Where possible, the GDPR states that controllers should notify their local DPA within 72 hours. Where the data breach poses a high risk to the privacy rights of data subjects, affected data subjects must also be notified without undue delay.
For the first time, companies that breach data protection law can face fines calculated with reference to their annual turnover. In certain circumstances, companies can be fined up to €20,000,000 or 4% of annual global turnover, whichever is higher.
Take Action now – GDPR app
Organisations have little time before the GDPR comes into effect. Getting to grips with a new compliance framework is a complex process. Therefore, when developing any new products or projects, businesses should have GDPR requirements in mind.
To help businesses understand these new rules and how they will apply. We have created an innovative GDPR mobile app. The app provides an insight into the broad scope of the GDPR. It explains in greater detail the areas discussed above and sets out a comprehensive roadmap of the steps businesses should take to help achieve full compliance before the GDPR comes into force.
The complimentary app is now available to download:
Click here to download the Android version, or search for ” in the Google Play store.
Click here to download the Apple version, or search for “GDPR Guide”in the Apple App store.