How to Ensure Your Organisation is GDPR-Ready

The New EU General Data Protection Regulation (GDPR)

The General Scheme of Data Protection Bill 2017 was published in May of this year - it's the draft of what will be the domestic legislation that introduces the GDPR into operation in Ireland in May next year.

The deadline to comply with the new General Data Protection Regulation is 25th May 2018. Considering all the work in all organisations that the legislation will entail, that’s not long at all – you need to start preparing now.

NOTE: If you are based in Cork, our friends at Crowley Solicitors will be holding an early morning GDPR event on in Cork on 14 September – see here for details.

The GDPR will replace the EU Data Protection Directive to keep pace with technological advances including the handling of digital data and cyber security. All organisations, large and small, across the EU must securely protect all data collected – the new fines for failing to do so are enormous.

Why is the new General Data Protection Regulation necessary?

The main principle of the GDPR is that personal data can only be sourced and stored under strict conditions and for a legitimate purpose. It contains specific elements such as a right to be forgotten, as well as a data breach notification requirement – failure to comply with the GDPR will expose you to massive penalties.

Your obligation to notify data breaches

Businesses of all sizes will be required to report most breaches concerning personal data. You will be required to inform those individuals whose personal data has been affected along with the Data Protection Commissioner as soon as the breach occurs.

The ‘right to be forgotten’ and the ‘right to restriction’

An individual will have the “right to be forgotten” under the new GDPR legislation. Under the new legislation, individuals will have the right to have their records and personal data erased where there is no legal ground for retaining it. This will also apply to data being processed on your behalf by other agents.

Your data controller, or the person responsible for those duties, will have to erase all links or copies to personal data where the subject withdraws their consent and there is no legal ground for your organisation to process it. In addition, you will also have to take action to notify others who are also processing data on your behalf.

Data subjects (i.e. people, e.g. employees, customers, clients, service users) can also object to the accuracy of their data and, pending an investigation, stop it being processed under a provision called the ‘right to restriction’. All businesses should review their procedures for handling data erasing requests to ensure that they can meet their new obligations.

Getting the GDPR wrong is going to cost

If you have not prepared for the GDPR, you will expose your organisation to eye-watering fines and a damaging PR hangover so you really can’t afford to get the GDPR wrong! Organisations that fail to comply could face fines of up to €20 million or 4% of their global turnover and that’s before individuals take claims for damages.

Your GDPR preparation strategy

• Small businesses may find it harder to cope with budgeting for this new piece of legislation - starting earlier and spreading the cost is the best tactic to take.
• New procedures need to be introduced, such as security and breach notification – acting on these areas now will make the transition to complying with the GDPR smoother.
• If you currently don’t have a data protection officer you may need to hire one sooner than later (take advice in relation to your organisation) and ALL staff must be trained on Data Protection.
• Communicate with data processors and other stakeholders to find out how they will protect your information
• Start planning how to respond and process requests for data deletion/restriction, such as the ‘right to be forgotten’ and ‘right of restriction’.

Next steps to take...

It’s simple - you need to get up to speed with the new data protection regulations!

We can help to ensure your staff are trained on data protection. Contact a member of our e-learning team at elearning@legal-island.com to gain free access to our Data Protection Training and see how you can minimise the risk of a data breach in your organisation.