As it is precisely 12 months to the day the new European General Data Protection Regulation will come into effect, we decided to look at what changes we will see in Ireland.
Although the key principles of data protection won’t change, there will be changes to the regulatory policies. Below, we look at what changes we can expect in Ireland.
The territorial scope and applicability of the GDPR are much broader than those of the Irish Data Protection Act, which has limited reach outside Ireland and the EU. The GDPR will apply to:
- All companies that process the data of Irish and EU residents, regardless of their location.
- All companies based in the EU involved in processing personal data, regardless of where the individuals (referred to as data subjects in the Regulation) live.
- Companies that are based outside the EU, but process the data of EU residents (regardless of whether the processing takes place within Europe or not) will have to appoint an EU representative.
Right of access
- Individuals now have the right to request a copy of any personal data that organisations (data controllers in the Regulation) may be holding about them, as well as confirmation of where this data is stored and the purpose for which it is processed.
- Organisations and service providers (data processors in the Regulation) are obliged to provide a copy of the personal data, free of charge, in a format that is accessible to data subjects.
- Under the GDPR, companies must be able to respond to and comply with subject access requests within one month, dropping significantly from the current 40-day limit.
Right to be forgotten
- The right to erasure (‘right to be forgotten’) entitles data subjects to have their data erased by a controller without undue delay.
- Controllers must no longer disseminate the individual’s data, and in some cases organisations will be required to ask third parties to stop processing the individual’s data.
- When this right is invoked, organisations are able to retain data “for archiving purposes in the public interest”.
Privacy by design
- Organisations are obliged to incorporate data protection from the outset when designing new systems. Specifically, “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
- Under the GDPR, data controllers and processors should only hold and process data when it is absolutely necessary for the completion of their duties.
- Access to personal data access should also be limited within companies to those who need it to complete their processing.
- Under the GDPR, individuals have the right to receive from data controllers a copy of their personal data “in a structured, commonly used and machine-readable format”.
- Individuals now also have the right to have their data sent to another organisation “without hindrance from the controller to which the personal data have been provided”. This right is already being acted upon in Ireland. A prime example is the new designated switching teams being developed by banks to allow you to easily switch provider. Hopefully, this new right will encourage competition as organisations will have to comply with any requests made.
- Under the GDPR, breach notifications will be mandatory “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
- Notification must be provided within 72 hours of first noticing the breach.
- Service providers are also obliged to notify the organisations involved “without undue delay” after becoming aware of a personal data breach.
- If a company suffers a breach under the current Irish Data Protection Act, “this can result in a criminal prosecution with fines up to €5,000 and on indictment €250,000 per offence”.
- Under the GDPR, there is a tiered approach to fines depending on the severity of the breach.
- A company can be fined 2% of annual global turnover or €10 Million (whichever is greater), if they breach certain articles of the GDPR, e.g. not having their data records indexed properly, not notifying the supervising authority and individuals about a breach, or not conducting an impact assessment.
- Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
- The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
- The data subjects’ rights pursuant to Articles 12 to 22;
- The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
- Any obligations pursuant to Member State law adopted under Chapter IX;
- Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)
Data protection officer (DPO)
Under the GDPR, all Irish public service bodies and organisations that handle and process high volumes of personal data will have to hire, appoint or contract a DPO. Even where the GDPR does not specifically require the appointment of a DPO, it is highly encouraged by the European Article 29 Working Party (WP29) as a matter of good practice and to demonstrate compliance. The data protection officer must:
- Be appointed on the basis of their professional qualifications and qualities
- Possess expert knowledge of data protection law and practices
- Have their contact details registered with the data protection authority (Ireland’s supervisory authority the Data Protection Commissioner)
- Report directly to the CEO or senior management
- Be able to act independently of the company’s interests
Want to learn more about the effect the GDPR will have in Ireland and on your business? Learn from the experts what changes the GDPR will bring to Ireland on our one-day certified EU GDPR Foundation course in Croke Park, Dublin, on 12 June 2017 to learn more.