The General Data Protection Regulation ("GDPR") is due to take effect on 25th May 2018. The GDPR will harmonise data protection rules across the European Union and is a very substantive piece of data privacy/ protection legislation.
A number of important elements of which organisations should be immediately aware are as follows:
- The GDPR provides that a Data Protection Officer (“DPO”) should be appointed by organisations whose core activities involve the regular and systematic monitoring of data subjects on a large scale, as well as organisations whose core activities involve the processing on a large scale of special categories of personal data. Organisations may also appoint a DPO voluntarily, however, public bodies will be obliged to appoint a DPO.
- The GDPR sets out an elevated threshold for obtaining consent from a data subject. The onus will rest with employers to prove that they have obtained consent validly. A number of previously simple methods of obtaining consent (e.g. “opt-out” consent by forbidding silence, inactivity, and pre-ticked boxes) have been removed.
- Any business implementing new processes or technologies which involve processing that is likely to result in a high risk to the rights and freedoms of employees may need to carry out a Data Protection Impact Assessment (“DPIA”).
- The GDPR grants new rights and builds on existing rights of data subjects. These include for example the right to access, data portability, correction, erasure, objection and the restriction of processing of personal data.
- The GDPR sets out significant penalties in the event of non-compliance. Penalties of €10 million or 2% of annual global turnover, whichever is greater, or €20 million or 4% of total annual global turnover, whichever is greater, may be imposed.
In the past few months, the Government published the General Scheme of the Data Protection Bill 2017 (the “Scheme”). This Scheme provides an insight into the Irish Government’s intent and approach towards the GDPR. The Scheme is only in its preliminary form and is likely to be subject to amendment as it moves through the legislative process.
Given the short time period left until 25th May 2018, and the fact that the GDPR places onerous obligations on organisations in relation to all personal data which they process, organisations should immediately begin to prepare for the GDPR.