The General Data Protection Regulation (GDPR) will come into force on 25.05.2018. replacing the existing data protection framework under the EU Data Protection Directive.
The GDPR emphasises transparency, security and accountability by data controllers, while at the same time standardising and strengthening the right of European citizens to data privacy.
Many of the main concepts and principles of GDPR are much the same as those in our
current Data Protection Acts 1988 and 2003 (the Acts).
GDPR introduces new elements and significant enhancements which will require detailed consideration by all organisations involved in processing personal data.
It is essential that all organisations immediately start preparing for the implementation
of GDPR by analysis of all current or envisaged processing in line with GDPR.
The GDPR gives data protection authorities more robust powers to
tackle non-compliance. and also makes it considerably easier for individuals to bring
private claims against data controllers when their data privacy has been infringed.
What You can do NOW to prepare for GDPR?
It is imperative that key personnel in your organisation are aware that the law is changing to the GPDR. They should start to identify areas that could cause compliance problems under the GPDR.
Make an inventory of all personal data you hold are examine it under the followings headings:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
This is the first step towards compliance with the GDPR’s accountability principle,
which requires organisations to document the ways in which they comply with data protection principles when transacting business.
The inventory will also enable organisations to amend incorrect data or track thirdparty
disclosures in the future, which is something that they may be required to do.
3.Communicating with Staff and Service Users
Review all current data privacy notices alerting individuals to the collection of theirdata. Identify any gaps that exist between the level of data collection and processing your organisation engages in, and how aware you have made your customers, staff and services users of this fact.
Before gathering any personal data, current legislation requires that you notify your customers:
- of your identity
- reasons for gathering the data
- the use(s) it will be put to
- who it will be disclosed to
- if it’s going to be transferred outside the EU
Under the GDPR, additional information must be communicated to individuals in
advance of processing, such as the legal basis for processing the data, retention
periods, the right of complaint where customers are unhappy with your implementation
of any of these criteria, whether their data will be subject to automated decision
making and their individual rights under the GDPR. The GDPR also requires that the
information be provided in concise, easy to understand and clear language.
4.Personal Privacy Rights
Rights for individuals under the GDPR include:
- subject access
- to have inaccuracies corrected
- to have information erased
- to object to direct marketing
- to restrict the processing of their information, including automated decision-making
- data portability
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the Acts, but with some significant enhancements.
Review your current personal privacy rights procedures:
- How long to locate (and correct or delete) the data from all locations where it is stored?
- Who will make the decisions about deletion?
- Can your systems respond to the data portability provision of the GDPR, if applicable where you have to provide the data electronically and in a commonly used format?
5.How will Access Request change?
The rules for dealing with subject access requests will change under the GDPR. In most
cases, you will not be able to charge for processing an access request, unless you can
demonstrate that the cost will be excessive.The timescale for processing an access
request will also be shorten.
Organisations will have some grounds for refusing to grant an access request.
Where a request is deemed manifestly unfounded or excessive, it can be refused.
However, organisations will need to have clear refusal policies and procedures in place,
and demonstrate why the request meets these criteria.
You will also need to provide some additional information to people making requests,
such as your data retention periods and the right to have inaccurate data corrected.
You could ultimately save your organisation a great deal of administrative cost if you can develop systems that allow people to access their information easily online.
6.What we mean when we talk about a “Legal Basis”
Under the GDPR, individuals will have a stronger right to have their data deleted where customer consent is the only justification for processing. You will have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request.
All organisations need to carefully consider how much personal data they gather, and why.
7.Using Customer Consent as ground to process data
Customer must know exactly what they are consenting to, and there can be no doubt that they are consenting.Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.
Consent must be ‘freely given, specific, informed and unambiguous.’
The GDPR is clear that controllers must be able to demonstrate that consent was given.
8.Processing Children’s Data
The GDPR introduces special protections for children’s data, particularly in the context
of social media and commercial internet services. The state will define the age up to which
an organisation must obtain consent from a guardian before processing a child’s data.
Have you adequate systems in place to verify individual ages and gather consent from guardians.
9.Reporting Data Breaches
Have you adequate systems in place to manage data breaches that may arise and to comply with the notification requirements?
The GDPR requires your local data protection authority to be notified of a data breach within 72 hours of discovery.
Breaches that are likely
to bring harm to an individual – such as identity theft or breach of confidentiality –
must also be reported to the individuals concerned.
10.Data Protection Impact Assessment (DPIA)
A DPIA is the process of systematically considering the potential impact that a project
or initiative might have on the privacy of individuals.
The GDPR introduces mandatory DPIAs for those oganisations involved in high-risk processing:
- where a new technology is being deployed
- where a profiling operation is likely to significantly affect individuals
- where there is large scale monitoring of a publicly accessible area.
GDPR enshrines both the principle of ‘privacy by design’ and the principle of ‘privacy by default’ in law. This means that service settings must be automatically privacy friendly, and requires that the development of services and products takes account of privacy considerations from the outset.
11.Data Protections Officers
The GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale.
External data protection advisor, takes responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.
What Should You Do?
9 months seems like a long time but there are many aspects of GDPR that may require organisational level changes. Don’t wait.
Contact us on: 01-846-42000 now and we can setup a meeting to discuss how we can help you.
This document is purely for guidance, and does not constitute legal advice or legal analysis. All organisations that process data need to be aware that the General Data Protection Regulation will apply directly to them.