With the GDPR coming into effect in May 2018, Irish companies need to start planning their approach to GDPR compliance sooner rather than later. With the 12-month countdown to the compliance deadline looming, what can Irish companies do now to be prepared?
The Office of the Data Protection Commissioner (ODPC) issued a set of guidelines last year for individuals and organisations. We decided to take a look at the key guidelines to kick-start your GDPR preparation.
The five key guidelines companies should be aware of:
All key personnel should be made aware that the law is changing and what the changes are. For medium-sized to large organisations in Ireland, it will be a major drain on resources to ensure compliance with the GDPR. Companies in Ireland should prioritise training staff on the incoming changes driven by the Regulation. This can be done using online training courses such as our GDPR Staff Awareness E-learning Course
2: Personal privacy rights
Companies should be reviewing their procedures to ensure they cover all the rights individuals have. Under the GDPR, individuals’ rights will be modified, depending on your reasons for processing their personal data.
The new rights for individuals under the GDPR include:
- The right to access
- The right to rectification
- The right to erasure
- The right to object
- The right to restrict processing
- The right to data portability
3: Legal basis
Companies should be looking at the various types of data processing they are carrying out and whether they have a valid legal basis. You should review your privacy notices and policies, and put a plan in place for making any necessary changes. The GDPR gives people a stronger stance when requesting to have their data deleted if you use consent as your legal basis for processing.
4: Reporting data breaches
It seems that even now many Irish companies are not currently aware of, or thinking about, the threat of security breaches to their business and the impact such a breach might have on their finances and their reputation. It is crucial you have the right procedures in place to detect, report and investigate a personal data breach.
The GDPR will bring in mandatory breach notifications, which will be new to many organisations. As opposed to the Code of Practice currently observed by many Irish companies, the GDPR sets out a number of specific obligations on companies to notify the Data Protection Commissioner of certain categories of data breaches without delay and, when necessary, within 72 hours. EU GDPR: An Implementation and Compliance Guide is a must-have for developing and implementing these procedures.
5: Penalties for offences under the GDPR
The most significant change being brought in with the GDPR is the increase in fines for both data controllers and data processors who are prosecuted for data breaches. The GDPR introduces a two-tier system for penalties. The most notable of these is up to €20,000,000 or 4% of the annual worldwide turnover – whichever is greater – when a company is found to be non-compliant.
It is clear that with the GDPR on its way many Irish companies have a great deal to consider. While there is business uncertainty in Ireland with Brexit on the horizon and the impact this will have on Irish companies, Ireland will retain the EU standards, so Irish companies will still be held to the GDPR even if their primary market is in the UK.
Unsure about where to start in preparing for the GDPR? Why not attend our upcoming Certified EU GDPR Foundation and Practitioner Combination Course?
Click here for more information on dates and location.