Preparing for the GDPR
On the 25th May 2018, the General Data Protection Regulation (“GDPR”) will come into force. From this date, data controllers and processors will have significantly enhanced obligations towards individuals whose personal and sensitive data they hold. The Data Protection Commissioner has released a 12-step guide to assist companies and other data controllers in preparing for these new obligations. A number of the most significant steps are set out below:
i) It is vital that you document all personal data you hold and be in a position to explain why you hold the data, how it was collected, how long you will retain it, how secure the data is, and whether the data is to be shared with third parties (and the basis for doing so). Having a paper trail demonstrating how data is held and processed will go a long way towards showing compliance with the principles of the GDPR.
ii) You should review all current data privacy notices and identify any gaps between the current requirements for privacy notices under the Data Protection Acts 1988 and 2003, and the GDPR requirements. New requirements under the GDPR require that you notify customers of the lawful basis for processing the relevant data, the period you intend to retain that data, the customer’s right to complain to the Data Protection Commissioner if they are unhappy with how their data has been treated, and their individual rights under the GDPR – more on this below.
iii) Your procedures must cover all the rights individuals enjoy under the GDPR. These rights include the following:
- The right to have inaccuracies corrected;
- The right to have information erased;
- The right to object to direct marketing;
- The right to data portability;
- The right of access to data held; and
- The right not to be subject to automated decision-making.
Many of these rights are the same as the rights contained in the 1988-2003 Acts. However, they are significantly enhanced. Companies and other data controllers should review their processes to ensure that they comply with this new requirement.
iv) From the 25th May 2018, you will not be able to charge for processing an access request. Access requests must be dealt with in one month rather than 40 days, but if a request is manifestly unfounded or excessive, it can be refused. It is important if an access request is to be refused that the data controller has appropriate policies in place setting out the criteria for such a refusal.
v) You should identify the legal basis for the types of data processing you carry out and document it to show compliance with this new obligation.
vi) Customer consent to recording personal data must be “freely given, specific, informed and unambiguous”. As such, if consent is required when recording personal data, you should review how it is sought and documented. Consent must be verifiable and individuals must be informed of their right to withdraw consent. Your processes should be reviewed to accommodate same.
vii) You should make sure that you have the right procedures in place to detect, report and investigate a personal data breach. The GDPR introduces a duty to report certain types of data breach to the Data Protection Commissioner within 72 hours. Any breaches that are likely to cause harm to individuals, such as identity theft, will have to be notified to the individuals directly.
viii) Finally, certain data controllers will be required to appoint a Data Protection Officer (“DPO”) to ensure the data controller is acting in compliance with the requirements of the GDPR. You should check to see if you fall under this category and ensure that someone within your organisation, or an external party, can take responsibility for your compliance with data protection principles.