Whilst Data Protection legislation is nothing new, the new General Data Protection Regulation (GDPR) - which comes into effect on 25 May 2018 - puts in place new and rigorous requirements for organisations and how they handle the personal data of EU citizens. It gives new and enhanced powers to the Data Protection Commissioner, and provides for costly fines to penalise non-compliance.
The GDPR requires every business and public sector organisation to ensure that personal data is only held where justified, is well protected and not misused. It gives individuals more rights than ever over their personal information and how it is collected, shared and stored by organisations. Under GDPR businesses must exhibit transparency and accountability when engaging in data handling processes – the onus is on each organisation to demonstrate compliance.
GDPR is here to stay, and while some organisations may not yet be fully prepared, it is never too late to get your systems in order to achieve compliance as soon as possible. Here’s a summary of what you need to know about GDPR.
Before you do anything else you first need to conduct a comprehensive audit of the personal data you hold on file. Only by doing this will you get a full view of the type of data you hold and what you need to do to ensure that data is treated appropriately under the new regulations. This also facilitates the requirement for organisations to produce a “record of processing” to demonstrate what data they hold, how they store it and for what purposes they retain it.
Review and refine data handling processes and procedures
The results of your audit will help you take steps to streamline data handling processes and procedures in your organisation and change or eliminate any that fall outside the standards required by the regulations. You must ensure that there will be no perceived negative impact on any data subject from your holding or handling of their data. You must also be in a position to securely delete data that is no longer needed, or make it available to any data subject who requests it.
Ensure you are justified in holding the data
You must have a valid reason for retaining a person’s personal information. There are a limited number of acceptable reasons under the regulations for holding data, for example that it is necessary for the fulfilment of a contract, that the data subject has given their explicit consent, etc. The holding of personal data purely for direct marketing purposes is a practice that the legislation seeks to regulate very tightly.
Review any third party data arrangements
If a third party data handler you use is found in breach of the regulations you are likely to also be held accountable. For this reason many (especially larger) organisation have been proactively seeking assurances on compliance from their providers in recent months. It is advisable that you put contracts and model clauses in place to protect yourself. A solicitor can help you do this.
Ensure you store personal data safely and securely
You must store any digital personal data on a secure network and carry out regular checks to minimise the risk of cyber corruption or unauthorised access. When it comes to hard copy data, this must be protected by adequate physical and procedural measures. You must also be able to demonstrate that the data you retain is relevant and up-to-date.
Understand that there are serious consequences for non-compliance
If a data breach occurs it must be reported to the Data Protection Commissioner within specified time frames, and in some cases also to the data subject(s) themselves. The Data Protection Commissioner now has the power to levy significant fines (potentially running into millions of euros) for non-compliance or serious data breaches. Previously only the Courts could levy these penalties. Data subjects have also been granted rights to compensation for non-financial damage.
Appoint an appropriate person to oversee GDPR compliance
Certain organisations are required to formally appoint a Data Protection Officer (DPO), but for the majority who don’t need this, having someone dedicated to GDPR compliance is a wise step. Whether a new recruit or an existing employee, you will want to appoint someone with excellent project management ability, adept at co-ordination and with the inter-personal skills to effect changes in work practices across the organisation.
For many people, GDPR is viewed as a headache, however if approached correctly it can be used as a catalyst for positive business change. Indeed, it is an opportunity to update and rejuvenate data handling process as well as improve the relationship you have with your data subjects.
With data protection issues cropping up more and more in the media, the general public are becoming more aware of their rights in relation to how their personal data is gathered and used by organisations. If you can demonstrate to customers and clients that your organisation is taking proactive steps to ensure you collect, store and update personal information in a professional and responsible way, then your actions will go a long way to reassure them and inspire long-term loyalty.
At Poe Kiely Hogan Lanigan we have considerable experience advising clients on business compliance matters, including data protection. To seek advice and guidance on your GDPR obligations and compliance requirements, please do not hesitate to contact Clare Quinlan to arrange a consultation.