GDPR – What, When, Why?

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the EU. This new regulation will come into force on the 25th May 2018.

As a regulation, it will not generally require transposition into Irish law, regulations have direct effect, so organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes.

Why is it being implemented?

Since 2003 there has also been an explosion in the volume of consumer data used and stored by businesses large and small across the EU. Current regulations are not tailored for the digital economy, which is a significant problem for both businesses and consumers.

The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.

Steps that need to be implemented:

The following are practical steps your organisation should follow to prepare for the implementation of GDPR.

  • Ensure all decision makers are briefed on the importance of the law and on the consequences that a failure to comply may have for the business in terms of sanctions, penalties and damage to brand and reputation. GDPR has severe penalties for organisations that lose data, up to €20m, or 4% of an organisation’s revenue, whichever is higher. Penalties are broken out into two main categories, with the second category attracting a smaller maximum penalty of 2% of turnover, or €10m.
  • Assign responsibility to a Data Protection Officer and a budget for data protection compliance.
  • Review how you obtain consent for all personal data collected and ensure it is in line with the GDPR requirements.
  • Establish how the organisation deals with information requests, correcting inaccuracies, erasing information and data portability.
  • Establish a full compliance program incorporating Privacy Impact Assessments (PIAs), regular audits and training.
  • Review existing supplier arrangements and procurement contracts to ensure reflect the GDPR’s data processor obligations.
  • Update communicating privacy information. There is additional content that will need to be added to your privacy notice, for example explain the legal basis for processing the data and the organisation’s retention data periods.

Final Note:

Ensure all the above procedures are documented in a data protection policy manual, to ensure the person responsible for data protection compliance maintains and updates the policy manual.