General Data Protection Regulation 2018
The General Data Protection Regulations (GDPR) are coming into force on the 25th May 2018. As a regulation, the GDPR will have a direct effect on the Irish law system, including the Data Protection Acts 1988 & 2003 and the Data Protection Directive 95/46/EC.
Purpose
The GDPR focus is on standardising the European citizen’s right to data privacy, as well as emphasising transparency, security and accountability by data controllers.
Key Changes
Fines: The GDPR is providing data protection authorities with administrative fines which can turn out to be devastating for organisations. It allows fining for non-compliance of up to €20mln or 4% of total annual global turnover (whichever is greater) for the most serious breaches.
Data Request:
The new regulation will make it easier for individuals to request copies of data relating to them.
At the moment employees are liable to pay a fee of €6.35 and wait for up to 40 days, for the copies of the data to be supplied to them.
However under the GDPR, this request is now free of charge and an employer now has only 30 days to process the request.
An employer is now also required to provide an employee with additional information such as information on how long data is being stored and the right to have inaccurate data concerning them corrected.
Data Breaches:
Mandatory reporting of data breaches has also been introduced.
At the moment only some organisations are obliged to do this. Once the GDPR comes into force, all organisations will be obliged to report any data breaches to the Data Protection Commissioner within 72 hours.
Breaches that are required to be reported are those that are likely to bring harm to an individual. In addition any concerned individual needs to be informed about the breach also.
A failure to report it could result in a fine, as well as a fine for the breach itself.
Data Protection Officers:
Some companies will be required to appoint a Data Protection Officer. Such organisations include:
- Public authorities
- Organisations whose activities involve regular and systematic monitoring of data subjects on a large scale
- Organisations who process what is known as a sensitive personal data on a large scale.
Recommendations
If your organisation is compliant under the existing law, your approach will be valid under GDPR.
The following are the main principles of Data Protection.We recommend that you make sure that your organisation is compliant with these, as this will vastly help you in the case of any inspection under GDPR:
- Advise all employees that you are collecting data about them, why you do this, who your Data Controller is and who may have access to it.
- Obtain and process information fairly
- Keep it only for one or more specified, explicit and lawful purposes
- Use and disclose it only in ways compatible with these purposes
- Keep it safe and secure
- Keep it accurate, complete and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it for no longer than is necessary for the purpose or purpose
- Give a copy of his/her personal data to that individual on request
- The GDPR introduces a number of significant changes that every employer must be aware of and be sure to comply with, in order to avoid significant penalties.. We recommend that Employers;
Review their existing Data Protection policies to ensure that they reflect the new changes.
- Ensure to report any breach that is likely to bring harm to an individual, as well as informing the concerned individuals.
- Consider whether their company are obliged to appoint a Data Protection Officer.
- Finally, here are a few questions to bring you one step closer to being compliant:
What data do you hold?
- Why are you holding it?
- How long will you retain it?
- Is it safe?
This update is provided by the MSS HR Support Service. For further details on the General Data Protection Regulations or on other HR services please email hr@mssirl.ie.
