Its enforcement date in all EU member states is 25 May 2018, less than 12 months away, after which any organisations that are non-compliant will face heavy fines. Within Ireland awareness is low. Only 14% of small to medium enterprises have begun to prepare, according to a study for the Data Protection Commissioner, and while over two-thirds (69%) have heard of the GDPR, 70% are unaware of the start date and 83% are unable to name how it will impact on their business.
So what is the EU’s General Data Protection Regulation (GDPR)? It’s a regulation designed to harmonise data privacy laws across Europe giving greater protection to data and empowering all EU citizens’ data privacy. It will also mean a reshaping of the way organisations across Europe approach data privacy.
The GDPR applies to any organisation that processes data about individuals relating to the sale of goods or services to citizens in EU countries. For organisations within the UK that only have activities within the UK or with non-EU organisations, they will still need to comply before Britain leaves the EU. Post leaving the EU, the UK has indicated it will implement an equivalent or alternative legal mechanisms.
If you don’t comply the penalties are heavy. Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 million, the maximum fine. And if their data is infringed, the GDPR makes it easier for individuals to bring private claims against data controllers when their data privacy has been infringed and to sue for compensation when non-material damage has been suffered.
The GDPR defines personal data as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.
The regulation will cover any time personal data is captured such as whenever you open a bank account, join a social networking website or book a flight online, you hand over vital personal information such as your name, address and credit card number.
For larger organisations, including public authorities, they will need to appoint a Data Protection Officer to comply.
“Data protection laws exist to ensure fair play for everyone in how their identity and personal data is used by big corporations, governments and all sorts of organisations and businesses,” said Ireland’s Data Protection Commissioner, Helen Dixon. “The GDPR is a game-changing overhaul of our current data protection laws. It will impact every type of company and organisation regardless of their size and require many of them to take significant action well before May 25 2018.”
“We have one year to go before the implementation of the GDPR and the DPC is here to assist companies and organisations understand the steps they need to take on their journey towards GDPR-readiness. Through our engagement with industry and organisations from all sectors, as well as our new website which will be regularly updated with new guidance, our aim is to drive awareness of the new law by providing information and guidance that will assist organisations to be GDPR-compliant by May 2018.”
“It’s not a surprise that many companies, particularly SMEs, have not yet begun to get GDPR-ready or even considered what that might look like. Larger organisations, with greater resources, are likely to be more advanced in their preparations and are generally more cognisant of data protection requirements. Therefore, we are focused on helping SMEs who may feel that the GDPR doesn’t apply to them or that there is little to fear in ignoring it, when in fact this is far from the case.”
To prepare for the GDPR, the Data Protection Commissioner has launched an awareness raising campaign at GDPRandYou.ie. The site includes a 12-step guide to getting ready, as well as a video and other downloadable materials, and will continue to add to this published guidance over the coming months.