The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
As a regulation, it will not generally require transposition into Irish law (regulations have ‘direct effect’), so organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes. The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.
Raising awareness among organisations and the public aware of the new law will be a combined effort of the Data Protection Commissioner (DPC), the Government, practitioners, and industry and professional representative bodies. Over the course of 2017, the DPC will be proactively undertaking a wide range of initiatives to build awareness of the GDPR, in particular providing guidance to help organisations prepare for the new law which comes into force on 25 May 2018.
The DPC is also an active participant in the Article 29 Working Party (WP29) comprising representatives from each EU member state’s Data Protection authority. The WP29 has a central role in providing further explanatory and practical guidance on key provisions of the GDPR.
Who the new Regulations applies too:
The regulation applies if the data controller (Organisation that collects data from any EU residents) or processor (Organisation that processes data on behalf of data controller e.g. service providers) or the data subject (person) is based in the EU. The regulation also applies to organisations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission “personal data is any information relating to an individual, if it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social media, networking websites, medical information, or a computer’s IP address.
The regulation does not apply to the processing of personal data for national security activities or law enforcement within the European Union; however, industry groups concerned about facing a potential conflict of laws have questioned whether Article 48 of the GDPR, which states that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty in force between the requesting third (non-EU) country and the Union or a Member State, could be invoked to seek to prevent a data controller subject to a third country’s laws from complying with a legal order from that country’s law enforcement, judicial, or national security authorities to disclose to such authorities the personal data of an EU person, regardless of whether the data resides inside or outside the EU.
The data protection reform package also includes a separate Data Protection Directive for the police and criminal justice sector that provides rules on personal data exchanges at national, European and international level.
Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any standard and must be reported to the Supervisory Authority within 72 hours after having become aware of the data breach (Article 33).
Individuals have to be notified if adverse impact is determined (Article 34).
In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).
However, the notice to data subjects is not required if the data controller has implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption (Article 34).
The following sanctions/fines can be imposed:
Warning in writing in cases of first and non-intentional non-compliance,
Regular periodic data protection audits,
Fine up to €10,000000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, where there has been an infringement of the following provisions (Article 83, Paragraph 4):
Fine up to €20,000000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, where there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6).