The biggest revamp in privacy law in more than two decades is set to happen next year, and it is going to be a game changer for many organisations.
The new legislation, General Data Protection Regulation, known as GDPR, becomes fully active on the 25th of May, 2018.
GDPR is extensive as it affects all organisations; this includes large companies such as LinkedIn or Facebook, public sector organisations, non-profit organisations, SMEs, community groups’ i.e. sporting clubs, and even schools.
If your business or organisation collects personal data, then yes, you are.
Personal data is defined as information that can be used to identify any living person. And as such if your organisation has employees and/or customers whose personal contact details are stored by your organisation, then you need to pay attention to GDPR.
The current data protection laws in Ireland date back to 1988, and as such, the General Data Protection Regulation is new but not entirely alien.
The major difference the new legislation brings on board is the fact that it places a lot more obligation on organisations to prove their compliance.
GDPR is heavily focused on accountability. Each organisation has to shoulder the burden of proof of its compliance with the new legislation.
Organisations are mandated to disclose collected personal data, reasons for the collection of the data, how the data is to be used and who has access to these data.
Additionally, individuals will have enhanced protection and more rights over their personal data. GDPR will allow individuals to make certain personal-protective requests of the organisations.
Organisations will have to respond to these requests within 30 days under the new legislation. If the organization doesn’t respond, it will be fined by the Office of the Data Protection Commissioner.
Prior to the new legislation, breaches of data protection law did not carry heavy penalties. With GDPR, things are about to change. The new law packs a brutal punch for defaulting organisations.
The new law carries two tiers of fines, with the top tier having the potential of reaching over €20 million or 4% of an organisation’s global annual turnover (whichever is greater).
If your organisation defaults on the new law and as a result get sued by any individual, the person is now empowered with the right to legally pursue compensation for non-material damage.
Such an individual is not required to show a financial loss due to the infringement on their personal data; they can seek compensation on the basis of hurt feelings, distress, damage to reputation etc.
Optionally, a group of individuals under the umbrella of a non-profit consumer group can come together to take a quasi-class action against a defaulting organisation.
With GDPR coming to effect in the middle of next year, it is important organisations begin preparation now to avoid a potentially disastrous backlash.
The new law applies to the entire life cycle of collected personal data i.e. from the moment of collection till its final disposal.
As such, you and your organisation need to start reviewing all collected and processed data, the uses for this data, how the data is being disposed of, and who has access to it.
You should ensure that you have a legal basis for collecting and processing data that is in accordance with those listed in the General Data Protection Regulation law.
External privacy policies should be revamped and refreshed to provide adequate information to individuals as regards data collection.
Internal policies and consent forms should also be looked at to ensure that they are in compliance with the new law, and if they are not, you should start working on getting them right now. Full transparency is the watchword here.
SMEs, in particular, must meticulously look at personal data they have shared through supply chains and outsourcing. Contractual terms should be in place to protect personal data.
It is also important to train your staff and employees on the basics of personal data protection so they do not breach the new law. A breach in GDPR could occur by simply sending a letter or email containing personal data to the wrong person.
If you need guidance on ensuring your organisation’s compliance with GDPR, contact us. Our specialist team of commercial solicitors will gladly discuss your requirements with you