GDPR May 2018

The GDPR brings significant change. It will replace the current data protection legislation in Ireland and the EU and brings with it many new requirements and obligations. It is essential for all businesses, NGO’s and public bodies to be aware of the changes as there are very significant fines and sanctions for non-compliance. Being able to demonstrate that you are in compliance by means of documented policies, procedures and training is essential.

What is changing under the GDPR?
The GDPR introduces significant changes to the obligations of data controllers and data processors which will require organisations to review and redraft contracts, policies and procedures and other related documents to ensure they are in compliance with the provisions of the GDPR. It may also be necessary to prepare new policies where none currently exist.

Significant new obligations
The GDPR introduces new obligations on data controllers and data processors, including:

• increased obligations relating to accountability and transparency;
• requirements to facilitate and comply with enhanced rights of data subjects;
• reduced timeframes and additional obligations regarding data breaches;
• where consent is relied on for processing purposes – a higher threshold is now established;
• additional information must be given to data subjects;
• increased record-keeping obligations;
• obligations to appoint a data protection officer; and
• data protection impact assessments.

Increased sanctions for non-compliance
One of the most significant changes made by the GDPR is the area of sanctions for non-compliance with its provisions. The Office of the Data Protection Commissioner will be entitled to impose fines of:

• up to 2% of annual worldwide turnover or €10m (whichever is greater) for breaches relating to internal record-keeping, data security and breach notification, data protection officers, and data protection by design and data protection by default.
• up to 4% of annual worldwide turnover or €20m (whichever is greater) for breaching the data protection principles, conditions for consent, individuals’ rights, and international data transfers.

Data security
Ensuring that you have appropriate governance measures relating to access and use of personal data, whether in respect of employees, consultants, marketing/PR companies or third party contractors, is now strictly regulated. It is important that you have the controls and correct contractual apportionments of risk in place. Appropriate insurance cover should also be considered, given that the GDPR will introduce a new statutory civil right of action for third parties who suffer damage as a result of any infringement by you of your obligations under the GDPR.

How can Philip Lee help?
We are leading experts in the area of data protection law. We have advised private and public sector companies on the full spectrum of data protection compliance and enforcement issues. We have also acted in many of the leading data protection cases to come before the Courts. A number of our partners are CIPP/E certified (Certified International Privacy Professional – Europe). Our Data, Privacy and Technology team is ready to assist you in the run up to May 2018.

Get In Touch

Damien Young
PARTNER

Anne Bateman
PARTNER

Eoghan Doyle
PARTNER

Sean McElligott
PARTNER