The upcoming General Data Protection Regulation (herein, GDPR) will come into effect on the 25th May 2018 and Sleepless has had a lot of inquiries from businesses concerned about what it means for them. In this article, we will explain what the GDPR is and how companies can ensure that they stay on the right side of the regulations.
The GDPR applies if the data controller (the organisation which collects data), the data processor (an organization which processes data on behalf of the data controller) or the data subject (the person who the data is about) is based in the European Union. This affects all Irish companies who hold personal data and companies worldwide who hold personal data about EU citizens. According to the commision in charge of the GDPR:
“personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
All data collected must be accompanied with explicit consent for the data and the purposes the data is to be used for. Data controllers must be able to provide proof of consent and consent may be withdrawn.
Data Protection Officer
All public authorities and those private companies whose core activities consist of data processing must designate a ‘data protection officer’. The data protection officer (or DPO) must be proficient at managing IT processes, data security (including dealing with ransomware and other cyber-attacks) and other data-related business continuity issues. The DPO must be effectively independent of the organisations which employ them, acting as an ‘internal regulator’.
All personal data must be ‘pseudonymised’, meaning that any identifiable data must be encrypted, or otherwise rendered useless in pairing the data to an individual person. Any encryption keys must be stored separately to the personal data itself. The GDPR does not concern the processing of data that is already anonymous, for example, data used for research or statistical purposes.
Any data breaches must be reported to the Supervisory Authority within 72 hours of any breach. If the breach is determined to have an adverse effect on individuals, those affected individuals must be informed. Individuals need not be informed, however, if the breached data has been anonymised or pseudonymised.
Sanctions can be imposed on those companies who do not follow the GDPR. Examples of these sanctions include regular data protection audits and a fine of up to €20 million, or up to 4% of the annual worldwide turnover, whichever is greater.
Records of Processing Activities
Records of processing activities must be kept. Upon request, these records must be made available to the Supervisory Authority.
For more information about the GDPR and what you can do to ensure compliance, contact Sleepless using the button below or call us on 0818 511 444.