The Office of the Data Protection Commissioner has issued updated guidance to organisations on implementing the General Data Protection Regulation ('GDPR'). This is useful considering that a recent BT Ireland survey found that almost 70% of CFOs are unaware of the new data protection laws.
This is surprising when you consider that the GDPR means potential fines of up to €20m (or 4% of total turnover) for serious non-compliance. How has this not become an agenda item at board meetings yet?
In November, Helen Dixon, the Irish Data Protection Commissioner, urged organisations to immediately start preparing for GDPR. She recommended that organisations carry out a review and analysis exercise on processing to ensure it complies with GDPR with a view to enhancing compliance. The further guidance note issued by the Data Protection Commissioner earlier this week on implementing GDPR can be found on their website here:
The main thrust of the guidance is simple - don't leave it to the last minute to implement GDPR. Organisations have until 25 May 2018 to comply and that will not be long coming around. The checklist provided in the guidance sets out the following steps for organisations:
1. Become aware - identify areas that could cause compliance problems under GDPR.
2. Become accountable - create an inventory of all personal data you hold and why - look at security and retention also.
3. Communicate with staff and service users - update privacy notices to comply with GDPR.
4. Personal privacy rights - make sure your procedures cover all of the rights that individuals have including right of access, correction and erasure.
5. Look at how access rights will change - the new timescales mean that data access requests must be complied with asap and within 1 month - other changes to access rights also need to be considered.
6. Look at your legal basis for processing - document it and make sure it fits under GDPR - if it doesn't you may not be able to collect and process that data in the same way.
7. Look at consent - review how you seek, obtain and record consent and that it is still sufficient. GDPR means consent may be more difficult to demonstrate particularly where the data subject has no option. This may have a particular impact on how you collect and process employee personal data.
8. Review how you process children's data - the age of consent needs to be reviewed and how you verify age will need to be considered.
9. Review your data breach reporting processes - GDPR brings mandatory reporting obligations in the event of a breach. Unless the data is encrypted or anonymised all breaches must be notified to the Data Protection Commissioner within 72 hours. If the individual is likely to suffer harm they must also be notified.
10. Do you need impact assessments and how are you implementing data protection by design and default into your organisation? If you are involved in high risk processing such as profiling, developing new tech or large scale monitoring of public areas then you will need to have procedures in place under this category.
11. Do you need to appoint a data protection officer? If your organisation is a public authority, the organisation's activities involve regular and systematic monitoring of data subjects on a large scale or the organisation processes sensitive personal data on a large scale then you must appoint a dedicated data protection officer. This can be an external party but they must have responsibility for data protection compliance and have the appropriate authority and support.
12. Are there any international implications for your organisation? If you are a multinational you need to ascertain which data protection authority you should mainly deal with. GDPR operates on a one stop shop basis.
GDPR compliance can no longer be put on the long finger and organisations must start reviewing and planning their compliance well in advance of May 2018.
If you need advice on data protection and GDPR compliance please contact a member of our Employment Law & Data Protection Team:
Disclaimer:This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Leman Solicitors for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.
“It is essential that all organisations immediately start preparing for the implementation of GDPR by carrying out a “review and enhance” analysis of all current or envisaged processing in line with GDPR,” the DPC recommends. “This will allow time to ensure that you have adequate procedures in place to deal with the improved transparency, accountability and individuals’ rights provisions, as well as optimising your approach to governance and how to manage data protection as a corporate issue. It is essential to start planning your approach to GDPR compliance as early as you can, and to ensure a cohesive approach amongst key people in your organisation.”