The EU General Data Protection Regulation (“GDPR”) contains a set of rules which come into direct effect (i.e. without the need for national implementation legislation) on the 25th of May 2018. The GDPR will replace the existing data protection framework under the EU Data Protection Directive in its entirety.
The first piece of Irish legislation governing data protection dates back to 1988 with a subsequent amending Act in 2003. There is no doubt that technology and the manner and extent to which businesses use and store consumer data has drastically changed since then, not just in Ireland, but across the globe.
The GDPR aims to address this and provide a more transparent, standardised data protection playing field which strengthens the rights of European citizens to data privacy.
The GDPR will apply to any organisation which operates within the EU, but also any organisation which processes personal data (i.e. any information related to an identified or identifiable natural person held electronically or physically) of EU citizens, even if the organisation is located outside of the EU. For example, if a company based outside the EU (e.g. cloud storage company) stores data belonging to an EU citizen, the GDPR will apply.
Whilst many of the main concepts and principles of the General Data Protection Regulation are much the same as those in our current Data Protection legislation, there is no doubt that the GDPR introduces new elements and substantial improvements which any organisation processing personal data (i.e. any information related to an identified or identifiable natural person held electronically or physically) will need to consider and assess in advance of the 25th of May.
The following are just some highlight changes which organisations will need to consider and assess in advance of next May adopting a risk based approach:
• Higher Threshold of Consent: The General Data Protection Regulation raises the bar in terms of the form of consent provided by an individual to process their personal data. For example, an individual’s consent to the processing of their data must be “freely given, specific, informed and unambiguous”. Silence, pre-ticked boxes or inactivity will no longer suffice.
• Enhanced rights for individuals: Individuals will have a greater say in how their personal data is collected and processed e.g. they may request to receive further information within one month on how their data is processed or request that the data be rectified or deleted.
• Risk Based Implementation: Depending on the level of risk, organisations may need to:
– Conduct impact assessments
– Keep detailed records of data processing and implement measures to ensure and demonstrate compliance
– Designate Data Protection Officers who will report to senior management and serve as the point of contact for data subjects and the Data Protection Commissioner.
• Sanctions for Non-Compliance: The GDPR gives data protection authorities more powers to address non-compliance including substantial administrative fining powers of up to €20,000 (or 4% of total annual global turnover, whichever is greater) for the most serious infringements. The GDPR also makes it much easier for individuals to bring private claims against data controllers when their data privacy has been infringed.
The GDPR and Professional Opportunities:
The clock is ticking and organisations need to familiarise themselves with the incoming GDPR now and begin to prepare to comply with their obligations.
From a recruitment perspective, our experience at Azon Recruitment is that many organisations have already started this process as we have seen an increase in demand for experienced data protection professionals over recent months including:
• Data Protection Officers
• Data Protection Lawyers/Data Privacy Counsel
• Data Protection Consultants/Specialists
If you are an experienced data protection professional or this is an area which you are interested in, please don’t hesitate to contact our Head of Legal Ruth Lyndon, on 01 5549260 or firstname.lastname@example.org to discuss potential relevant opportunities.