GDPR – Cyber attacks, big data, new data protection regulations. Is my business ready?

GDPR will come into effect across the EU on 25th May 2018, bringing with it a new set of data protection rules and the potential for major fines with no grace period.

If your business holds or processes personal data, you should start planning.  The first step is to simply make an inventory of all personal data you hold and examine it under the following headings:

  • Why are you holding it?
  • How did you obtain it?
  • Why was it originally gathered?
  • How long will you retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Do you ever share it with third parties and on what basis might you do so?

In the first of our information briefings to clients on GDPR, Jemma Lyons has prepared the following note.

New EU Data Protection Regulations–

The introduction of the New EU General Data Protection Regulations (“GDPR”) which is set to formally come into place on the 25th of May 2018 will have significant implications on Irish businesses in terms of their Data protection policies and how they handle personal data on a day to day basis.

It is important for Irish businesses to understand the implications of GDPR so that they are fully aware of the changes before they take effect and therefore prepare their businesses for these changes.

Firstly, GDPR will now extend to not only data controllers, as under the 1995 Directive, but also now places a new legal obligation on data processers. This has an important impact for any data processors who will now also be held responsible for protection of any data they might handle on behalf of third parties.  The objective of making data processors liable aims to strike a more even balance between data processors and data controllers making them both jointly and severally liable for any breaches that might occur.

It would be advisable for businesses to ensure that any third-party contracts are reviewed in light of this change so to ensure compliance with the regulation.  Failure to comply with the regulations will see data processors liable for damages and potentially severe financial sanctions.

Secondly the regulations introduce the concept of extra territoriality which in essence means that not only does the regulation apply to companies within the EU but will also apply to organisations located outside the EU if they are companies that offer goods or services to or monitor the behaviour of EU Data subjects.

It is therefore prudent for companies to remember that this regulation applies to all organisations processing or holding data of persons residing within the European Union regardless of the location of the company.  It will become more important for companies outside of the European Union who are targeting the data of EU citizens to look at the possibility of appointing a representative within the EU will act as a point of contact.

Thirdly, the regulations will introduce more stringent obligations on data controllers in that they will be now obliged to provide information to users about their rights as well has being in a position to show evidence that users have been informed of their rights with regards the use of their data.  The concept of consent is also reinforced and it will be even more important for companies to show that consent of the data subjects has been “freely given, specific, informed and unambiguous.”  A clear record of obtaining consent should be retained.  It will be important for companies to review any opt out provisions that they might currently have in place as, under GDPR, it will be the user’s right to opt in if they wish for their data to be used as opposed to opting out.

The Regulations also now introduce the  concept/ principle of accountability which will now require data controllers to be able to demonstrate how they comply with the data protection principles in general and therefore it will be even more important for companies and businesses alike to ensure that their policies and procedures are up to date in light of the new regulations that are coming in to force.

In theory, companies should be easily able to demonstrate by the documents they hold that they are in compliance with the new regulations.  It is advisable that companies keep a written inventory of all the data that they hold and the reasons why they hold the information, the reasons why, why it was originally gathered and how long it is intended to retain the information on their systems.

In this regard, it would be advisable for companies to consider appointing a specific person within the organisation to deal with or be the point of contact in respect of issues surrounding data protection which will be even more important now with the changes GDPR will introduce in relation to the time frame data access request are processed which has been reduced from 40 days to one month.

Finally, given that we are likely to see a “hard” Brexit coming down the line, Ireland could find itself at as a new central hub for data protection for companies outside the European Union who continue to supply goods or services or monitor consumer behaviour in the EU and therefore companies in Ireland could take advantage of the UK decision to leave the EU, at least in respect of the GDPR.

Jemma Lyons
+353 1 562 0700