What does GDPR mean for your business?

The General Data Protection Regulation (GDPR) is a new EU data protection regulation that will come into force on 25 May 2018.

“The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.”

[Source: Dataprotection.ie]

In Ireland, currently when we talk about data protection legislation we are referring to the Data Protection Act 1988, which was later amended by the Data Protection (Amendment) Act 2003. These will both be replaced by the GDPR and businesses involved in data processing will have to comply with the obligations it imposes.

The new regulation covers not only businesses operating in the EU but also applies to any personal data of EU citizens which is stored outside the EU e.g. on cloud storage services.

What is “data processing”?

White & Case describe data “processing” essentially as “anything that is done to, or with, personal data (including simply collecting, storing or deleting this data).” The term data processing is also technology neutral so regardless of whether the data is stored on paper or electronically, the legal obligations of GDPR will apply.

What is “personal data”?

“Personal data” is defined in Article 4(1) of GDPR as “any information relating to an identified or identifiable natural person (‘data subject’)”. “Any information” is a very broad and could mean a name, an email, a gender, an HTTP cookie etc. (individually, these can be referred to as “identifiers”). When an individual can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into possession of the business processing the data, it is considered to be “personal data” and comes under the obligations of GDPR. E.g.

  1. An email address, as it is personal to the individual.

Or

  1. First name, surname & job function. This combined information could be used to trace back to the individual and therefore all the data elements are considered to be personal data.

What is a “natural person”?

A ‘real person’ like me or you. The GDPR applies to the personal data of any living EU citizen. An identified natural person is one that is already known whereas an identifiable natural person is one that could potentially be identified based on identifiers (above).

What is the “data subject”?

The data subject is the identified or identifiable individual to whom the information relates.

GDPR and You

The Data Protection Commissioner has put together a 12 step “The GDPR and You” introductory document for businesses, to help with the GDPR transition. While they say that it is not an exhaustive list it is a very useful starting point particularly for small and medium enterprises. It lists the following steps;

  1. Becoming Aware
  2. Becoming Accountable
  3. Communicating with Staff & Service Users
  4. Personal Privacy Rights
  5. How will Access Requests Change?
  6. What we mean when we talk about a ‘Legal Basis’
  7. Using Customer Consent as grounds to process data
  8. Processing Children’s Data
  9. Reporting Data Breaches
  10. Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default
  11. Data Protection Officers
  12. International Organisations and the GDPR

Businesses who fail to comply with the requirements of GDPR from 25 May 2018 onwards could face fines of up to 4% of annual turnover or €20 million – whichever is greater. The GDPR also makes it considerably easier for individuals to bring private claims against data controllers when they believe their data privacy has been infringed and allows data subjects who have suffered non-material damage as a result of an infringement, to sue for compensation.

The DPC recommend that all organisations first carry out a “review and enhance” analysis of all current and envisaged data processing in line with GDPR. If you want to learn more about GDPR and how to prepare your business, take a look at our 1 day programme, Preparing for GDPR.

Lesley Cobbe, 2 November 2017

Digital Marketing and Web Development by Seditio