GDPR replaces all previous Data Protection Acts & Regulations across the EU. It comes into effect on 25th May 2018. In Ireland it replaces the current legislation, the Data Protection Acts 1988 and 2003.
The GDPR seeks to provide individuals (“data subjects”) with more control over their data. Along with this increased control comes increased obligations for businesses.
The legislation introduces a large number of changes resulting in increased requirements to achieve GDPR compliance. Some of the more significant changes and headlines include:
- The GDPR has strict penalties, with organisations potentially subject to the higher of fines of up to €20m or 4% of worldwide annual turnover. For the first time, data subjects will have the right to sue for non-material damage arising from data privacy breaches;
- Explicit consent for data collection, data usage and marketing must be obtained from the data subject;
- New responsibilities for data processors and data controllers e.g. a requirement to maintain records of personal data and processing activities;
- The regulation introduces the concept of accountability which requires organisations to demonstrate the ways in which they comply with data protection principles when transacting business;
- New rights exist such as the right to be forgotten, the right to data portability and the right to data profiling and data correction;
- GDPR brings in mandatory breach notifications. All breaches must be reported to the Data Protection Commissioner, typically within 72 hours, unless the data is anonymised or encrypted;
- In certain cases, a Data Protection Officer must be appointed to monitor the organisation’s compliance;
- The GDPR increases the amount of information to be given to a data subject when providing access and the time period for dealing with request has been reduced to one month;
Privacy is a growing concern and a fundamental right of data subjects. The rights over personal data will intensify in the years ahead. If they have not done so already Organisations need to start preparing for GDPR compliance to avoid severe fines if found non-compliant.
RBK can assist you in your efforts to meet your data protection obligations by providing the following assistance:
- Assess your organisations current structure and GDPR readiness;
- Identify and report on the GDPR risks and compliance gaps within your organisation;
- Identify areas of most material non-compliance and to prioritise mitigating steps, especially in relation to high risk processing activities;
- Offer practical solutions to become GDPR compliant;
- Conduct Data Privacy Impact Assessments;
- Assist in the development of GDPR Policies and Procedures;
- Provide Data Protection training across your organisation.
Please contact a member of our Business Risk Services team for further information.