On May 25th 2018, the EU GDPR came into effect and will impact almost every organisation in Europe and beyond. The GDPR is a game changer; of this, there is no doubt. It provides individuals with strengthened rights over their personal data and it offers harsh punishments to organisations that fail to adhere to the new laws.
So what is the GDPR?
Firstly, GDPR stands for General Data Protection Regulation.
This regulation is an overhaul of the existing data protection legislation. It replaces the previous acts and now means that every country in the EU will follow the exact same rules.
The GDPR is being brought about principally due to the old legislation being inadequate for the vast quantities of personal data being processed nowadays.
As an example, according to surveys, the biggest risk to the personal data your organisation holds, is from your own staff.
Under the new regulation, a breach will have the potential to cost you a lot of money. It can affect your organisation’s reputation. Without trying to be over-melodramatic, a breach has the potential to affect the future of your company.
So, what’s different?
Well, to start, it has redefined the definition of personal data to
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Examples of Personal Data include names, physical addresses, email addresses, Identification numbers
Personal Data also includes information that could indirectly identify an individual including IP Addresses or Web Browser Cookies
Similarly, Sensitive Personal Data defines personal data that requires additional safeguards and can be thought of as follows:
“Sensitive Personal Data” is personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).
Under the GDPR, notification of a Serious Breach must be made to the National Data Protection Authority within 72 hours of discovering the breach.
GDPR will now also apply if the personal data is handled abroad by companies active in the EU market regardless of any cost for the service or product provided. This means that companies based outside of Europe will fall under the regulation if they transact with people within the EU.
Multi-national organisations are now treated as a single entity.
Rules apply to both data controllers and processors. Obligations will exist for both groups of people.
Some of the new features of the GDPR include additional and/or strengthened rights for the individual…
- Right to be Informed – information on the purpose of the data being collected written in clear and plain language.
- Right of Access – the right to access their personal data if requested
- Right to Rectification – if it is inaccurate or incomplete
- Right to erasure or “right to be forgotten” – to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing
- Right to Restriction – a right to ‘block’ or suppress processing of personal data
- Right to Data Portability – allows individuals to obtain (free of charge) and reuse their personal data for their own purposes across different services
- Right to Object – for example to direct marketing
- Rights in relation to automated decision making and profiling
Data Protection By Design will become the norm: products and services will be designed in such a way to ensure compliance with the above by ensuring safeguards in place in earliest stages of development. Privacy friendly settings to become the standard. In order to use an individual’s personal data, they must provide you with explicit verifiable consent. In addition, the organisation must provide them with details on how their personal data will be used (and it cannot be used for any other purpose), how long it will be retained.
But sure what’s the worst that could happen to an organisation if they don’t do all this?
For starters, the fines are set to be big. Really big!
Fines of up to €20,000,000 or 4% of Global Group Turnover.
In addition, individuals have the right to compensation from the controller or processor for damage suffered from an infringement of the regulation.
The GDPR also introduces the possibility of class actions against an organisation.
Don’t think of it as a stick with which to punish you. Think of it as a way of adopting improved business processes.
What can my organisation do?
- Revise your privacy policies
- Set up internal procedures and protocols for handling requests of data subjects
- Consider the design of user interface systems
- Review your marketing lists
- Conduct a Privacy Impact Assessment
- Decide if you need or should have a DPO
Olas offer a number of services that will prepare you for the GDPR including:
For a no-cost discussion on how GDPR affects youe organisation, please call Conor or Fergal on 01-2790020 or email the team at GDPR@Olas.ie.