The General Data Protection Regulation (GDPR) is a new EU data protection regulation that will come into force on 25 May 2018.
“The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.”
In Ireland, currently when we talk about data protection legislation we are referring to the Data Protection Act 1988, which was later amended by the Data Protection (Amendment) Act 2003. These will both be replaced by the GDPR and businesses involved in data processing will have to comply with the obligations it imposes.
The new regulation covers not only businesses operating in the EU but also applies to any personal data of EU citizens which is stored outside the EU e.g. on cloud storage services.
What is “data processing”?
White & Case describe data “processing” essentially as “anything that is done to, or with, personal data (including simply collecting, storing or deleting this data).” The term data processing is also technology neutral so regardless of whether the data is stored on paper or electronically, the legal obligations of GDPR will apply.
What is “personal data”?
“Personal data” is defined in Article 4(1) of GDPR as “any information relating to an identified or identifiable natural person (‘data subject’)”. “Any information” is a very broad and could mean a name, an email, a gender, an HTTP cookie etc. (individually, these can be referred to as “identifiers”). When an individual can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into possession of the business processing the data, it is considered to be “personal data” and comes under the obligations of GDPR. E.g.
What is a “natural person”?
A ‘real person’ like me or you. The GDPR applies to the personal data of any living EU citizen. An identified natural person is one that is already known whereas an identifiable natural person is one that could potentially be identified based on identifiers (above).
What is the “data subject”?
The data subject is the identified or identifiable individual to whom the information relates.
GDPR and You
The Data Protection Commissioner has put together a 12 step “The GDPR and You” introductory document for businesses, to help with the GDPR transition. While they say that it is not an exhaustive list it is a very useful starting point particularly for small and medium enterprises. It lists the following steps;
Businesses who fail to comply with the requirements of GDPR from 25 May 2018 onwards could face fines of up to 4% of annual turnover or €20 million – whichever is greater. The GDPR also makes it considerably easier for individuals to bring private claims against data controllers when they believe their data privacy has been infringed and allows data subjects who have suffered non-material damage as a result of an infringement, to sue for compensation.
The DPC recommend that all organisations first carry out a “review and enhance” analysis of all current and envisaged data processing in line with GDPR. If you want to learn more about GDPR and how to prepare your business, take a look at our 1 day programme, Preparing for GDPR.
Lesley Cobbe, 2 November 2017
We’ve been in the professional development and education business for over 25 years. As a subsidiary of The Irish Times we work with a broad range of people and organisations to deliver the highest quality training available. The people who’ve benefitted from our expertise span HR departments across business, government, large corporations and SME’s as well as individuals.Call us today / 01-4727101