A new European Union-wide framework known as the General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018. An accompanying Directive establishes data protection standards in the area of criminal offences and penalties. The GDPR provides for significant reforms to data protection rules. They provide for higher standards of data protection for individuals and impose increased obligations on organisations that process personal data. They also increase the range of possible sanctions for infringements of these rules.
The GDPR places direct data processing obligations on businesses and organisations at an EU-wide level. According to the GDPR, an organisation can only process personal data under certain conditions. For instance, the processing should be fair and transparent, for a specified and legitimate purpose and limited to the data necessary to fulfil this purpose. It must also be based on one of the following legal grounds.
- The consent of the individual concerned.
- A contractual obligation between you and the individual.
- To satisfy a legal obligation.
- To protect the vital interests of the individual.
- To carry out a task that is in the public interest.
- For your company’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the individual whose data you are processing are not seriously impacted. If the person’s rights override your interests, then you cannot process the data.
The key steps you need to take to ensure compliance with data protection legislation:
- Identify what personal data you hold
- Conduct a risk assessment of the personal data you hold and your data processing activities
- Implement appropriate technical and organisational measures to ensure data (on digital and paper files) is stored securely. The security measures your business should put in place will depend on the type of personal data you hold and the risk to your customers and employees should your security measures be compromised.
- Know the legal basis you rely on (consent? contract? legitimate interest? legal obligation?) to justify your processing of personal data
- Ensure that you are only collecting the minimum amount of personal data necessary to conduct your business, that the data is accurate and kept no longer than is needed for the purpose for which it was collected.
- Be transparent with your customers about the reasons for collecting their personal data, the specific uses it will be put to, and how long you need to keep their data on file (e.g. notices on your website or signs at points of sale).
- Establish whether or not the personal data you process falls under the category of special categories (sensitive) of personal data and, if it does, know what additional precautions you need to take.
- Decide whether you will need to retain the services of a Data Protection Officer
For additional information, support and resources make sure to contact the Data Protection Commission (DPC). The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.