Businesses may be affected when new data protection regulations come into force in May 2018.
Breaches could result in businesses being fined and liable to pay compensation to data subjects.
Clients need to start preparing for the changes to our data protection laws as early as possible to avoid being found in breach of the regulations.
The General Data Protection Regulation (“GDPR”) will come into force in May 2018 and will introduce significant changes to our data protection laws. The purpose of the regulation is to ensure greater transparency, security and accountability by data controllers, whilst also strengthening the right of individuals to data privacy. Organisations will have to be able to demonstrate that they are in compliance with GDPR.
It will introduce a new concept of accountability. This will require organisations to demonstrate (and, in most cases, document) the ways in which they comply with data protection principles when transacting business.
Fines and Penalties
The headline grabbing change introduced by the GDPR is that significant fines can be imposed on undertakings in breach of the regulations. Fines of up to €20 million or 4% of worldwide turnover (whichever is the greater) can be imposed for serious breaches, while at the lower end of the scale warnings can be imposed for first offences or unintentional breaches. Alternatively, regular periodic data protection audits can be scheduled.
Under GDPR the timeframe for complying with access requests has been reduced from 40 days to one month. In addition, the fee payable by the subject has been abolished except in limited circumstances.
The data subject shall have the right to receive the personal data, which he or she has provided to a controller, in a “structured, commonly used and machine-readable format”. The data subject will also have the right to transmit that data to another controller without hindrance from the controller to which the data has been provided. In future, this will mean that information provided in response to an access request may have to be provided in an electronic format.
One significant change relates to possible remedies where a person has suffered damage as a result of an infringement of the regulations. Under the GDPR they will have a right to compensation from the controller or processor for any material or non-material damage suffered. In Collins V FBD Insurance the court held that a plaintiff had to show that actual loss flowed from the breach of regulations. In that case the plaintiff could not show that he had suffered loss or damage as a consequence of the defendant’s breach. However, once the new regulations are in force it will no longer be necessary to prove actual financial loss which will be a significant change to the law in Ireland.
Mandatory Notification of Data Breaches
Breaches of personal data will have to be reported to the Data Protection Commissioner within 72 hours of the breach, unless the personal data has been anonymised or encrypted. If there is a possible adverse impact for the individual data subjects then the individuals will also have to be notified.
Prudent businesses should start preparing now for the changes to our data protection laws which will be brought into effect in May 2018. To prepare, businesses should review their existing data protection policies and terms and conditions to ensure that the terms will be fully compliant. Training and communication of the changes should then be provided within organisations to employees along with full implementation.