Big changes are coming in relation to how Irish businesses prepare themselves for new EU data protection regulations – otherwise known as – General Data Protection Regulation (GDPR).
On Thursday 15th June Sligo Chamber Skillnet hosted breakfast briefing at the Sligo Park Hotel titled “General Data Protection Regulation (GDPR), legislation effective 25th May 2018” to make local businesses aware of the practical implications for business of the General Data Protection Regulation (GDPR) effective 25 May 2018.
The main speaker was Mr. John Keyes, Assistant Commissioner & Head of Investigations, Office of Data Protection Commissioner
The briefing, in summary.
We are living in what might be considered to be the 4th Industrial revolution, the beginnings of a technological age, however the law worldwide and EU law under the Charter of Fundamental Rights of the European Union has always struggled to keep up with the hyper fast paced changes with regard to our personal rights online and the protection and ownership of personal data.
Data protection laws and policies don’t just apply to giants like Google, Apple, Facebook, Sony etc. although we regularly see stories in the media surrounding ongoing legal struggles between how such companies use the personal data we give them in order to use their products. Any business that stores any digital records (emails, personal records, CCTV images) of clients or customers is considered a “Data Controller” and the changes coming will make it easier for people to request access to all their data & how their data is used / stored / processed – and once requested all companies must respond in full within a certain time after the request is made otherwise penalty fines may apply on failure to deliver on in full and on time, and the penalties can be severe!
Upcoming changes in GDPR basically allows for enhanced rights for individuals to their data, within GDPR recital 4 states:
“The processing of personal data should be designed to serve mankind.”
“The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”
“This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties”
The 8 Principles of Data Protection
- Obtain and process information fairly
- Keep it only for one or more specified, explicit and lawful purposes
- Use and disclose it only in ways compatible with these purposes
- Keep it safe and secure
- Keep it accurate, complete and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it for no longer than is necessary for the purpose or purposes
- Give a copy of his/her personal data to that individual on request
Major changes are coming in relation to 3 main areas.
- General Data Protection Regulation (GDPR)
- Data Protection Bill
- E-Privacy Regulation
Although the short briefing didn’t have time to get into too many specifics, rest assured all these areas relate in some most businesses operating in the modern technological age we live in. As a Digital Marketing Agency creating Websites, Email Campaigns, Social Media marketing and Online Advertising campaigns for our clients (and ourselves) we were very interested to learn more about changes in E-Privacy Regulation and the Data Protection Bill but unfortunately the briefing didn’t allow for time to get into these aspects in any detail.
Mandatory Breach Reporting
Make sure you have the procedures in place to detect, report and investigate a data breach.
Top 5 Breaches General Data Protection 2016
1. Unauthorised Disclosures
2. Postal Disclosures
3. Electronic Disclosures
4. Website Security
5. Other Security Related Issues
Top 5 complaint types General Data Protection 2016
1. Access Rights (56%)
2. Disclosure
3. Electronic Direct Marketing
4. Unfair Processing
5. Failure to secure data
What does all of this mean?
If you’re any kind of a business operation or public body, that does almost anything imaginable, to information relating to an identifiable person, for whatever purpose, in whatever way, the GDPR applies to you!!
Summary Advice from speaker John Keyes
The 2016 DPC annual report contains a 12 step guide which all businesses should first read to evaluate how they are / not already compliant with current legislation:
http://www.dataprotection.ie/docs/11-04-2017-Annual-Report-2016/1631.htm
Accountability
– Make an inventory of all personal data you hold
– Why do you hold it?
– Do you still need it?
– Is it safe?
Preparation for General Data Protection (GDPR)
The advice was for all businesses was to create a document for the company which contains policies & procedures to cover all areas below concerning data protection.
– General
– Data Retention
– Data Security
– Dealing with Access and other Requests
– Monitoring
– CCTV
– Direct Marketing
– Payment Processing
– Cookies
– Website Privacy
Templates for General Data Protection (GDPR)?
During the briefing there were requests from the audience for any templates they could use to prepare such a document, of which there are no official templates as we understand it. The advice given was to create a document which explains in simple terms how your company handles / processes / stores such personal data and why it does so. It was also advised that since the upcoming changes are major and may have quite serious implications for any business it might be pertinent to hire a specialist consultant / solicitor how can help your company create such documents and advise on procedures accordingly.
When does General Data Protection (GDPR) become effective? from 25 May 2018
This deadline is less than one year away, in the coming months you will learn more about it from the media and can also contact www.dataprotection.ie