The General Data Protection Regulation was agreed on by EU lawmakers at the end of 2015. It will come into force next year, replacing the current Data Protection Directive (DPD).
Under the DPD, watchdogs in each nation are responsible for the regulation of data privacy. The GDPR will change that, meaning less variation between EU nations when it comes to data protection laws. This is because regulations apply directly, whilst directives must be individually implemented in each nation. The new legislation will bring significant changes for businesses and individuals across Ireland.
Changes for Businesses
Data protection will be extended under the new regulation - its scope is greater than that of the Data Protection Directive, meaning it will apply to businesses and data which weren't previously included. Significantly, non-European companies which process EU citizens' data will also be obliged to comply with the new legislation. Punishments for businesses which fail to comply will be very serious, including very high fines of up to €20 million or 4% of the company's turnover.
Helen Dixon, Data Protection Commissioner of Ireland has stated that the arrival of EU’s General Data Protection Regulation (GDPR) will be a game changer for citizens and organisations throughout Ireland.
According to Dixon “This revolution is going to change not only what we do, but who we are, and it will affect our identity, our sense of privacy and, without exaggeration, it will affect what it means to be human.”
Since data protection laws will now be similar across the EU, it may become easier for Irish businesses to trade with other EU nations. The downside is that organisations will now have a greater responsibility to comply with the laws. This means they must keep records of the way they process and protect customer data. Public bodies will need to appoint an expert Data Protection Officer, who must be involved whenever there are issues which relate to the protection of personal data.
If a business falls victim to a data breach which could harm customers, it will now be required to report it to the DPC within three days. Businesses may be fined if they fail to do this.
Under the new legislation, the Irish Data Protection Commissioner (DPC) will have a more significant enforcement role. It will gain the ability to fine non-compliant organisations, though it's unclear whether it will be responsible for sanctioning public bodies.
Irish businesses will need to start implementing changes as soon as possible to be ready for the GDPR. The upcoming changes should be carefully considered when planning new projects and looking to the future. Organisations which start preparing now will be far better placed to avoid compliance issues in 2018.
Changes for Citizens
Individuals' rights are set to be greatly enhanced under the new regulation. A major change is that Irish citizens' data will be protected by the General Data Protection Regulation even when it is collected and processed by a non-EU company.
Individuals will now be entitled to compensation from a company if they suffer any kind of damage because of the breaching of their data rights. It will also become easier for individuals to get their data deleted if the company has no justification for holding it (other than the customer's previous consent). If a company has automated any of the decisions it makes about its customers, citizens will now be able to question these decisions if they are personally affected by them.
Individuals will also have the right to transfer their data between two electronic processing systems - this is known as data portability. However, some say this is simply a functional matter and should not be associated with data protection.
The new legislation should be good news for Irish citizens. Many people are currently ill-informed about how their data is collected and used; it is hoped that the update in legislation will give consumers more control over their data and a better understanding of their data protection rights.
Download our free paper to find out the highlights from this regulation and what it will mean for your business.