The General Data Protection Regulation (GDPR) promises to be the biggest transformation to European Privacy Policies in the past 20 years and takes effect from Friday 25th May 2018.
Much speculation has surrounded the effect of the GDPR and we at Sweeney McGann have been advising and providing complimentary in-house training to our clients on compliance with and implementation of GDPR.
Aoife Hennessy has been advising many of our clients in the lead up to this week and outlines the following guidelines for GDPR Compliance:
- Stay Calm
In many respects, our Irish data protection rules will look and operate the same. Many of the main concepts and principles of GDPR are much the same as in our current Data Protection Acts and if you and your organisation is compliant under the current law then much of your policies remain valid and may just need to be updated.
- Key Changes
- Enhanced rights of the individual- most notably the Right to Data Access, Right to Erasure (to be forgotten) and Data Portability.
- Data Subject Access Requests (DSARs)- From the 25th May 2018 the time period for an organisation to respond to a DSAR will be reduced from 40 days to one calendar month.
- Elevated Threshold for Consent- Review how you seek, obtain and record Customer Consent. Consent must be specific, informed, freely given and unambiguous.
- Security Breach Reporting – Data controllers are obliged to keep clear records relating to personal data breaches, including the facts relating to the data breach, its effects and any remedial action taken and if necessary alert the relevant authorities within 72 hours.
- Data Processors- GDPR imposes increased obligations on processors and makes them liable for breaches when acting outside of the instructions of the controller
- Records of Processing Activities- Detailed records of processing activities must be kept by processor and controller.
- Mandatory Data Protection Officer- Must be appointed by public bodies and businesses where there is a regular and systematic monitoring of data subjects on a large scale.
- Fines- There is a significant increase in the scope of administrative fines for non- compliance and may prove to be very costly. Organisations in breach of the Regulation can be fined up to 2% of their annual global turnover or €10 million, whichever is greater, for lesser breaches. For more serious breaches organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater.
- Fail to prepare and prepare to fail
Use the implementation of GDPR as an opportunity to review and think about your customers, patients, service users, employees and engage with them. Although the core rules remain the same, all organisations will need to have clear policies and procedures in place for GDPR compliance.
GDPR awareness and training are essential for GDPR compliance.
If you or your organisation require training or advice on GDPR compliance contact Aoife Hennessy or Ita Flanagan.