The GDPR clock is ticking...

Mar 29, 2018
With the GDPR deadline fast approaching, organisations should step up their efforts to ensure compliance writes Peter Bolger.
 
It is now eight weeks until the General Data Protection Regulation comes into force and it will have to be implemented by all businesses within the EU. Many companies have already taken steps to comply with the principles of this regulation but those who have not yet done so should urgently consider implementing GDPR strategies. Chartered Accountants need to incorporate new changes in their businesses, be it in private practice or in-house, in order to be GDPR compliant.
GDPR was passed by EU legislators in 2016. Following this, there was a two-year lead-in period so that awareness could be raised about the changes GDPR will make to privacy law. This period, ending on 25 May 2018, also allows businesses to take the time to ensure they are compliant. This involves reviewing and updating any policies or practices on processing personal data. It is of utmost importance that businesses are compliant, insofar as possible, by this date.
The Data Protection Bill 2018 has recently been published and is as important as GDPR. The Bill incorporates Ireland’s national implementing measures and also creates a new regulatory framework for enforcing data protection laws in Ireland. The Bill establishes the enforcement and administrative powers that are necessary to give effect to the intention of GDPR.

Data protection officers

In certain instances, it will be mandatory to appoint a data protection officer (DPO). This person will be responsible for advising the company on compliance with GDPR and will also act as a point of contact for data protection authorities and data subjects. Businesses must check whether or not they will need a DPO. Under GDPR, a DPO is required where the organisation is a public body; carries out large scale regular and systematic monitoring of individuals; or carries out large scale processing of special categories or data relating to criminal convictions and offences. The Article 29 Working Party has issued guidelines on DPOs. The guidelines note that managers and those who work in IT cannot assume this role.

Fines

It is extremely important to note that fines under GDPR are substantial. While the maximum penalty under the current regime is €100,000, fines under GDPR are much greater. Depending upon the nature of the breach, either the lower or higher threshold of fines will be imposed. The lower threshold of fines is up to 2% of an undertaking’s global turnover in the previous year or €10 million, whichever is higher. The higher threshold is up to 4% of an undertaking’s global turnover in the previous year or €20 million, whichever is higher. The Data Protection Bill provides that a decision of the Data Protection Commissioner to impose a fine can be appealed to the Circuit Court or the High Court. It should also be noted that under the Bill, most public bodies are exempt from administrative fines. 
Data Protection Impact Assessments Data Protection Impact Assessments (DPIAs) will be mandatory under GDPR where high-risk processing is contemplated. High-risk processing may involve profiling, large scale processing of special categories of personal data or large scale processing of public areas. DPIAs are only mandatory where the processing of data is “likely to result in high risk to the rights and freedoms of natural persons”. The Article 29 Working Party has issued guidelines on DPIAs and states that the rights and freedoms in question may also involve freedom of speech, thought, movement, prohibition of discrimination and rights to liberty, conscience and religion. These rights could also trigger an obligation to carry out a DPIA.

New data subject rights

Data subjects have increased rights under GDPR. Organisations must learn how to comply with these new rights and it is likely that privacy policies will have to be reviewed and updated. GDPR introduces the right to data portability, the right to erasure and the right to object to profiling. Certain rights have been modified, such as the data subject access right (SAR). This gives an individual the right to receive a copy of his or her personal data, which the controller holds. The already tight timeframe of 40 calendar days has been reduced to within one month of receiving a valid access request. It is therefore essential that organisations have an efficient and correct procedure in place to comply with any SARs received.

Consent

GDPR increases the obligations on data processors and controllers to obtain an individual’s consent prior to processing any personal data. Consent forms will therefore also need to be reviewed and updated. Data subjects must be informed of their right to withdraw their consent to processing at any time. For consent to be valid under GDPR, it must be “freely given, specific, informed and unambiguous”. Consent to process data must be entirely separate from other consents related to the firm’s business. The Article 29 Working Party in its guidelines on consent pointed out that in the case of employment, where the employer is the data controller, an employee (i.e. the data subject) is rarely in a position to give free consent. This issue was also raised by the Irish Data Protection Commissioner. Organisations must have the resources in place, should a data subject wish to retract consent. It must be as easy to withdraw consent as it is to give it. Therefore, many companies are now assessing whether to rely on consent or another GDPR-compliant basis for their processing. Under the Data Protection Bill, Ireland has lowered the age of digital consent to 13. 

Accountability

Accountability is one of the main principles of GDPR. Organisations must assess whether they have a sufficient data protection programme in place. They must also provide evidence of how it complies with GDPR. This could be done by showing that it has implemented data protection policies through regular checks and testing. A significant amount of Irish companies are now carrying out GDPR compliance programmes to ensure that they are in a position to demonstrate this compliance.

Data breaches

GDPR will change the notification requirements in the event of a personal data breach. Organisations must put data breach policies in place and internal registers of breaches must be available for inspection. Data controllers will therefore need to document incidents of data breaches and remedial action taken. The Data Protection Commissioner will need to be notified where a breach is likely to result in a risk to the rights and freedoms of individuals. In cases of high risks for the data subjects, data subjects generally must also be notified. In its guidelines on determining whether processing is “likely to results in a high risk”, the Article 29 Working Party stated that this risk exists where the breach may lead to physical, material or non-material damage to the data subject. The Data Protection Bill permits not-for-profit bodies to lodge complaints with the Data Protection Commissioner on behalf of data subjects in the event of a data breach. They are also permitted to bring a civil claim.

Conclusion 

The sooner preparation for GDPR begins, the more risks will be minimised and – importantly – the likelihood of fines being imposed.
Becoming GDPR-compliant is a large undertaking for all organisations. Once the time is taken to put the proper policies and procedures in place, compliance will not be so difficult to achieve.
 
Peter Bolger is the Head of Intellectual Property, Technology and Privacy at LK Shields.