GDPR: The New Legal Framework
There has been an increase recently in coverage of the EU General Data Protection Regulation ("GDPR"). Regardless of what happens with Brexit, it will be coming into effect on 25 May 2018 and is the first major data protection reform in the past 20 years. The changes are significant and the fines that can be levied have increased dramatically, so it is important that you are taking appropriate steps now to ensure that your business is compliant. We set out below the key changes and suggested steps your business should be taking now to ensure you are sufficiently prepared.
Accountability and Transparency
The key concepts underpinning the GDPR are "accountability" and "transparency".
It is essential that you have the appropriate systems and procedures in place to not only ensure your business is compliant but to be able to demonstrate to the relevant authorities how you are compliant. Key steps you can take to demonstrate compliance include adequate training of staff on data protection and information security, and appointing a Data Protection Officer (DPO).
Transparency is designed to give users a greater understanding about how you are using their personal data. At present, if you are a data controller you are only required to tell people who you are, for what purposes you will use their data and a vague obligation to provide any other information which is required in the circumstances to make the processing fair.
Under the GDPR, there are new absolute obligations for data controllers which must be adhered to at the time the personal data is collected.
One of the key changes under the GDPR is that data processors will have direct obligations for the first time. You should review you supply agreements to determine how these changes will impact your business and to ensure that your agreements are GDPR compliant. You should ensure you are fully aware of those agreements where you are a data controller and those where you are a data processor. If you do act as a data processor you will going forward be liable for harm caused by a breach of the GDPR to the extent that you have not complied with your contractual and statutory obligations.
Under the GDPR, consent for processing has been revised. You should review how you are seeking, obtaining and recording consent and consider whether more explicit consent is needed.
Subject Access Requests
Under the GDPR, the timeframe for responding to subject access requests has decreased from 40 days to a month. You are now also not entitled to charge a fee unless certain criteria are met. We anticipate that subject access requests are going to increase as individuals become more aware of their rights so it is vital that you review your procedures and adopt a systemic approach.
Train your staff to spot and deal with SARs and ensure you have a clear policy in place as time will move very quickly once a SAR is received.
As we have all seen, hacking and data breaches are becoming more prevalent. Reports of security breaches are now common place and it seems that no one is immune. Under the GDPR, you will have to notify the relevant authority within seventy two hours where feasible.
We recommend reviewing and revising your data breach management policies to ensure all breaches are reported to your supervisory authority. You should review and revise your security measures to ensure they are robust enough to meet the requirement of the GDPR.
International Data Transfers
If you currently transfer personal data internationally during the course of your business, you should review your international data transfers and ensure you have the appropriate mechanisms in place to be compliant with the GDPR.
The fines under the GDPR have increased significantly, and the GDPR introduces a two-tiered approach to fines, depending on the nature of the breach, so the maximum fine will either be the greater of €10million or 2% of turnover or of €20 million or 4% of turnover. You can also face personal claims form individuals for damages if their rights are infringed.
The changes being implemented by the GDPR are significant. You must take steps now to ensure you are ready for 25 May 2018 and we would recommend the following:
- Get board buy-in and support for your data protection compliance and to ensure you have a sufficient budget to market the necessary changes to your organisation.
- Take an inventory of all of the data you collect and assess how you process it.
- Review your data protection policy and your data retention, security and data breach notifications procedures.
- Review your privacy notices and how you obtain consent to process data
- Review your contracts with third parties.
- Appoint a Data Protection Office so that someone is taking responsibility for ensuring your compliance with data protection laws.
If you takes these steps and update your policies and procedures you should be well placed to deal with the many changes that the GDPR will bring into effect.
If you have any queries on GDPR, please contact Mark Thompson or your usual A&L Goodbody contact.