On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect, revolutionising the way that personal data is used and handled.
Representing the largest and most important change to data protection in 20 years, the new EU regulation has fundamentally altered the data landscape in Ireland.
Any organisation that breaches the rules of GDPR faces financial sanctions, reputational damage and public scrutiny over data protection shortfalls.
There are challenges ahead for all business units from marketing, to sales, to IT. But there are also opportunities to change your approach to privacy, refresh your systems and ensure they are fit for today's digital economy.
Ensuring GDPR compliance requires multi-disciplinary skill sets. Our experts can help with the challenges and opportunities ahead.
| July 2009 | European Commission (EC) launched a consultation regarding challenges for personal data protection, in light of new technologies and globalisation. |
| November 2010 | EC issued a Communication to the European Parliament and the Council setting out its approach to revising the legal framework for protecting personal data. |
| March 2011 | The Council of the European Union (CEU) published its conclusions on the Commission's approach. |
| January 2012 | EC set out its proposals to reform data protection throughout Europe and publishes a draft revised Data Protection Regulation. |
| October to November 2012 |
European Parliament (EP) led an inter-parliamentary hearing with national parliaments. |
| Autumn 2013 | Informal negotiations between EP and CEU as to the drafting of regulation. Separately the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted on a compromise text. |
| March 2014 | EP held a plenary vote in first reading of the draft Regulation and adopted the LIBE compromise text. |
| May 2014 to June 2015 | CEU reached agreement on the general approach of the draft Regulation. |
| June 2015 to December 2015 | EC, EP and CEU met to agree the wording of the Regulation in a series of meetings known as trilogue negotiations. |
| December 2015 | EC, EP and CEU agreed and finalised the wording of the Regulation. |
| 16 May 2017 | The Irish Department of Justice and Equality published the General Scheme of the Data Protection Bill 2017, which sets out to ensure Ireland's compliance with the GDPR. |
| 25 May 2018 | The Regulation applies to all EU Member States. |
“While imposing higher data protection obligations on business, it should also result in benefits by increasing consumer trust and confidence in new technologies and business models which should in turn facilitate business in reaping the full potential of the digital economy.”
Controllers must implement appropriate technical and organisational measures and procedures to ensure that processing safeguards the rights of the data subject by design. There are a few key steps if a business did not want to embark on a full review and overhaul just yet: minimise data collected; do not retain that data beyond its original purpose; and, give the data subject access and ownership of that data
This is really a right of consumers to erase their data. This is more far-reaching than a business might consider at first blush. A consumer or data subject can request to erase the data held by companies at any time and, if it has been passed on to any third parties (or third-party websites), they would have to erase it as well.
For serious penalties, the GDPR allows for fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher), which would be a serious chunk of revenue of even the largest multinational.
If a personal data breach is likely to cause a high risk to the rights and freedoms of the data subjects, personal data breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties.
So whether the data for 10 customers or 1,000,000 customers is lost, they would all have to be told. The potential for significant brand damage, litigation and media reporting of an incident is clear and could spell the end of a business overnight.
Important projects need owners. Under the GDPR, a data protection officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches and even creating a good data security policy. Businesses will need someone to act as the focal point in ensuring compliance with the GDPR and businesses will need to appoint DPOs sooner rather than later.
GDPR isn't just about meeting compliance standards. It’s an opportunity to make customers' and employees' data protection rights a key priority. Your organisation has an opportunity to demonstrate the adoption of the GDPR principles within its core values, placing the individual and their right to data protection as a key business objective.
GDPR also brings opportunities to Ireland for international businesses. There are significant efficiencies for multinational companies having their key data management functions located here. If a company makes its data strategy decisions in one EU member state, it is only obliged to report to that Data Protection Commissioner. In a post-Brexit world, it will be appealing to multinationals to negotiate with one Data Protection Commissioner in the only English speaking EU member state, rather than dealing with different jurisdictions with obvious language complexities.
