What is the GDPR?
The General Data Protection Regulation (GDPR) will replace current data protection laws in the European Union from 25th May 2018.
The new Regulation will give individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes corresponding and increased obligations on organisations that collect this data whether they are in the public, private or voluntary sector,
Many of the main concepts and principles of GDPR (and the enacting legislation in Ireland, the Data Protection Bill 2018) are much the same as those in our current Data Protection Acts 1988 and 2003. This means that if you are compliant under current law, then much of your approach should remain valid under the GDPR. However, the new elements and enhancements introduced by GDPR require detailed consideration by all organisations involved in processing personal data. Some elements of GDPR will be more relevant to certain organisations than others.
What is personal data?
Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
What is data processing?
The term 'data processing' refers to any operation or set of operations performed on personal data (in either electronic or physical format). Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations. Therefore, an organisation is 'processing' personal data, if it stores the personal data of customers or employees electronically or in hard copy.
What are the principles of GDPR?
- The GDPR is based on the core principles of data protection that already exist under current law:
- Transparency - To obtain data fairly from individuals (by giving notice of the collection and its specific purpose) and in ensuring that consent for its use is provided;
- Data Minimisation - To collect no more data from an individual than is necessary for the purpose for which it will be used;
- Accuracy - To ensure personal data is accurate and, where not, to correct or erase without delay;
- Limited retention — To retain data only for as long as is needed for the purpose intended;
- Safety/security —To ensure that data received is held safely and securely
- Accessibility — To provide individuals, on request, with copies of any personal data held.
What rights do individuals have under GDPR?
- Under the GDPR individuals have the significantly strengthened rights to:
- Obtain details about how their data is processed by an organisation or business;
- Obtain copies of personal data that an organisation holds on them;
- Have incorrect or incomplete data corrected;
- Have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data;
- Obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability);
- Object to the processing of their data by an organisation in certain circumstances;
- Not to be subject to (with some exceptions) automated decision making, including profiling.
Why does GDPR matter to organisations and businesses?
The GDPR will require organisations and businesses that collect and/or process personal data to meet a very high standard in how they collect, use and protect data, Very importantly, organisations must always be fully transparent to individuals about how they are using and safeguarding personal data. This includes providing this information in a concise and easily accessible way and in clear, easy to understand language,
To deal with organisations and businesses that contravene the law, the Data Protection
Commissioner is being given more robust powers to potentially impose very substantial sanctions including the ability to restrict data processing and impose fines. Under the new law, the DPC will be able to fine organisations up to €20 million (or 4% of total global turnover) for the most serious infringements.
The GDPR will also permit individuals to seek compensation through the courts for breaches of their data privacy rights, including in circumstances where no material damage or financial loss has been suffered.
What do organisations and businesses that process personal data need to?
Businesses and organisations that process personal data must adopt appropriate and common sense controls to prevent, reduce and manage the risks posed by their data processing of individuals' data. The GDPR requires that businesses must be transparent in communicating their data processing activities, be secure in processing personal data and be accountable.
As the coming into force of the GDPR approaches, businesses should ensure they are ready by reviewing their current approach to data usage and retention and testing this against the requirements of the GDPR. To assist them, the Office of the Data Protection Commissioner has produced a lot of useful material on how to prepare for GDPR and have developed a dedicated website: www.gdprandyou.ie.