The GDPR (General Data Protection Regulation), which came into effect on 25 May 2018, places obligations on organisations to be more accountable for data protection.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (data subject). The GDPR places much stronger controls on the processing of special categories of personal data than the Irish Data Protection Acts of 1988 and 2003.
Personal data can include, but is not limited to:
- Email address
- IP address
- Location data
- Profiling and data analytics
Data controllers and data processors
A controller is an entity that determines the purpose and means of processing, whereas a processor acts on the instructions of a controller.
Territorial scope of an individual
The GDPR deals with a data subject’s rights wherever they may be, irrespective of nationality or place of residence. It applies to entities based in the European Union and entities outside the EU that provide goods and services to individuals within the EU or monitor the behaviour of individuals within the EU.
To protect the confidentiality, integrity, and availability of personal data, and meet GDPR obligations, a controller must have appropriate policies, procedures and processes in place to protect personal data. This includes delivering data protection training to staff so they know what their responsibilities are in relation to protecting personal data.
Six core principles of the GDPR
The GDPR has six core data protection principles that data controllers must comply with. Personal data must be:
- Processed lawfully, fairly and transparently;
- Collected only for specific legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and, where necessary, kept up to date;
- Stored only as long as is necessary; and
- Processed in a manner that ensures appropriate security.
The accountability principle
As per Article 5 (2) of the GDPR, organisations must be able to demonstrate compliance with the six principles. This is more commonly referred to as the seventh principle: accountability.
The Regulation requires organisations to take a risk-based approach to data protection: they assess the risk to the rights and freedoms of individuals and implement actions accordingly. Therefore, data privacy should be on all organisations’ risk register.
The basic requirement is that an organisation must put in place a management system to enable it to clearly demonstrate what it is doing and what it needs to do to protect personal data, and to have appropriate technical and organisational measures in place to ensure it is appropriately protecting personal data.
Giving individuals control over their data
The GDPR gives individuals more control over how their information is collected and processed, while putting pressure on organisations that process EU residents’ personal data to tighten their data protection processes.
Where the data subject feels their rights have been infringed by a controller or processor, they have a right to make a complaint to the supervisory authority (the DPC (Data Protection Commission) in Ireland). The supervisory authority has powers of investigation, assessment and enforcement.
Penalties for non-compliance
The GDPR has a two-tier penalty structure, with a maximum fine of €20 million or 4% of global annual turnover, whichever is higher.
A data subject has the right to bring legal action against the controller or processor or both. The judicial remedy may be the court instructing a controller or processor to process data differently than they currently are, but it could also make an award of compensation. This compensation can be awarded to any individual who has suffered material or non-material damage as a result of the processing.
Non-material damage could be considered distress, damage to reputation, discrimination or social disadvantage. The potential damage to an organisation’s reputation, and bank balance, from multiple compensations claims could be considerably costlier than any fine from a supervisory authority.
The Regulation is binding across all EU member states, so the DPC has the power to investigate, assess and enforce in accordance with the provisions of the GDPR since 25 May 2018.
This is an excerpt taken from Alice Turley’s webinar ‘GDPR – One Year On’. To view the full webinar, click here.
Alice is a qualified data protection, compliance and insurance professional, consultant and trainer. She is highly experienced in data protection, consumer protection and compliance, providing expert and solution-based advice to organisations within the insurance, advertising and education industries.