Data Protection changes under GDPR
The General Data Protection Regulation (GDPR) is coming into effect on 25 May 2018, replacing the existing data protection framework under the EU Data Protection Directive. It significantly changes data protection law in Europe, strengthening the rights of individuals while increasing the obligations of organisations.
Businesses will have increased procedures and responsibilities in how they collect, process and protect personal data. They need to prepare effectively to avoid costly fines and breaches of privacy law. At the heart of the GDPR is the requirement for organisations to be transparent about how they are using and safeguarding personal data, and to be accountable for their data processing activities.
New legislation will enhance individual privacy rights considerably, as it standardises and strengthens the right to data privacy among the European citizens. Organisations should review their employment and data processing practices to ensure compliance. As a direct impact of GDPR regulations, Compliance and Data professionals are now in demand, according to our findings in 2018 Salary Guide
Employers are also encouraged to have a data protection policy, which includes details on the recruitment practices, use of information and communications technology, transfer of personal data, record keeping and other key issues relevant to the organisations' obligations under data protection legislation.
How will GDPR affect your organisation?
Personal Privacy Rights
The rights afforded to individuals will be similar to what they currently experience such as the right to have; data deleted, inaccuracies corrected and object to direct marketing. Additionally, however, they will have the right to information about data retention periods and have inaccurate data amended. Companies also need to consider how they will provide data electronically if requested.
GDPR also changes the timescale for responding to data protection requests to 1 month.
Consent as a ground for data processing
Customer consent must be 'freely given, specific, informed and unambiguous'. The customer must know exactly what they are consenting to and requires a positive action of approval. It can't be inferred, be silence or a failure to take action, e.g. tick a box to opt out. An individual also needs to be told of their right to withdraw consent. There is an onus on employers to show how consent was obtained and to keep the record of it.
Strict financial penalties and compensation
Currently, an individual can report a breach of his/her data protection rights to the Data Protection Commissioner. It's then up to the Data Protection Commissioner to decide whether it should be pursued by way of criminal prosecution in the District Court. There is no compensation to the person concerned for a breach unless he/she has suffered loss or damage.
Under the new regime, the Data Protection Commissioner (DPC) will be able to impose penalties of up to 4% of a company's worldwide turnover or �20 million for breaches of the data protection law.
An individual whose rights have been breached has the right to be compensated for material or non-material damage, including for stress arising from the breach.
Reporting data breaches
Employers must ensure they have procedures in place to detect, report and investigate any data protection breaches. Under GDPR, there will be an obligation to report a data breach to the Data Protection Commissioner.
Failure to report a breach will result in a fine in addition to the fine for the breach.
Data protection officer appointment
Large organisations or public bodies will need to designate a Data Protection Officer (DPO) under the GDPR regime. Any employer should consider whether you need a data protection officer in your organisation. You might also consider appointing an external advisor to this role.
Data protection impact assessments (DPIA)
Data protection impact assessments (DPIA) will be necessary when a new processing activity may result in a high degree of risk for data subjects. The DPIA should contain:
- Description and purpose of the processing
- An assessment of the necessity for the processing operation
- An assessment of the risks to the rights of the data subjects
- What steps will be taken to reduce the risks
A DPIA would be necessary for example where a hospital is going to start processing its patients' health data, or an employer will commence monitoring employees' use of the internet.
Final guidance
The GDPR is an important legislation emanating from Europe and should be of particular concern for employers who need to examine their existing data protection policies carefully. From how organisations gather data to how they deal with data protection requests, companies need to act now to ensure they fully transparent and compliant for May.