The General Data Protection Regulation (“GDPR”)
25 May 2017
On 25 May 2018, the GDPR will come into force across the EU and will replace the existing Data Protection Directive 95/46/EC which has been in place since 1995. The GDPR will bring substantial changes to European Data Protection Law and includes severe financial penalties for non-compliance. Therefore, Irish companies must be in full compliance with the GDPR by the May 2018 deadline. The European Commission has also proposed the Law Enforcement Data Protection Directive 2016/680 (“LEDP Directive”) which will replace the Data Protection Framework Decision 2008. Although the LEDP Directive and the GDPR were adopted together and are considered to constitute a package, the LEDP Directive has not attracted as much attention and debate as the GDPR. The LEDP Directive must be transposed into national law by Member States by 06 May 2018.
Aim of the GDPR
The GDPR has been described as the most ground-breaking piece of EU legislation in the digital era. The aim of the GDPR is to harmonise data protection across the EU. It also aims to make companies and businesses more accountable for data privacy compliance and it strengthens citizens’ fundamental rights and allows more control over their personal data. The GDPR will apply to both data controllers and data processors.
The GDPR requires a data subject’s consent to processing of their personal data to be freely given, specific, informed and unambiguous. Where a data controller collects personal data for one specific purpose, the GDPR requires that data subjects give additional consent for each additional processing operation. Consent must be explicit for sensitive data.
Parental consent will be required to process the personal data of children under the age of 16 for online services. Member States may legislate for a lower age of consent but this will not be below the age of 13.
Companies that breach data protection law can face fines calculated by reference to their annual turnover. Companies will face fines of up to €20 million or 4% of global turnover for non-compliance, whichever is higher.
If a company suffers a data breach, the GDPR introduces a mandatory obligation to notify the local data protection authority without delay. The GDPR states that the notification should be made within 72 hours.
Appointment of a Data Protection Officer
Certain organisations will be required to appoint a Data Protection Officer (“DPO”). The DPO must be expert in data protection law and privacy. They must have the ability to act independently and report directly to senior management within organisations.
Broader definition of Personal Data
The definition of ‘personal data’ is now broadened to include online identifiers, location data, and IP addresses. Also, the term ‘sensitive personal data’ has been broadened to include genetic and biometric data.
One stop shop
Multi-national companies will benefit from a one-stop shop approach where the data protection authority in the member state where the controller or processor has their main establishment will be the lead authority in relation to data processing undertaken by that controller or processor.
Privacy be Design
The GDPR seeks to ensure that privacy rights of data subjects are prioritised by data controllers when they make business decisions. Data controllers must ensure that privacy concerns are a key part of their decision making.
There are some concepts in the GDPR that reflect current law. However, a number of the requirements are new. Irish companies will have to analyse and review the GDPR in great detail in order to understand how they can comply with the GDPR requirements.
For further information on this topic please contact:
Partner, IP/IT Group,
Senior Associate, IP/IT Group