Key Impacts of the General Data Protection Regulation (GDPR)
As mentioned in our introductory post, the new EU General Data Protection Regulation (GDPR) is being introduced, with the deadline for compliance being 25th May 2018. Considering all that the legislation entails, that is not long at all – we would advise that every business would start preparing now. In anticipation, we have put together a GDPR series of blogs and briefings, detailing the Regulation, the Key Impacts and next steps to ensure your business is compliant come 25th May 2018.
The ‘right to be forgotton’ and the ‘right to restriction’
One of the most spoken about parts of the GDPR is that now an individual will have the “right to be forgotten” under the GDPR legislation. Under the new legislation, individuals will have the right to have their records and personal data erased where there is no legal ground for retaining it. This will also apply to data being processed on your behalf by other agents. Data subjects can also object to the accuracy of their data which must be removed whilst this is investigated under the ‘right to restriction’.
The ‘right to be forgotten’ does not provide an absolute right for employees to request data erasure. Under the current Data Protection Acts, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR this threshold is not present. However, an employer can refuse to comply with a request for erasure where the personal data is processed for the following reasons –
To exercise the right of freedom of expression and information;
For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task in the public interest task or exercise of official authority;
For public health purposes in the public interest;
Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
The establishment, exercise or defence of legal claims
The main principle of the GDPR is that personal data can only be sourced and stored under strict conditions and for a legitimate purpose. It contains specific elements such as a right to be forgotten, as well as a data breach notification requirement, failure to comply could incur massive penalties for businesses.
Businesses of all sizes will be required to report most breaches concerning personal data. You will be required to inform those individuals whose personal data has been affected along with the Data Protection Commissioner as soon as the breach occurs.
Therefore it is of utmost importance that you ensure all information collected, held or processed for your employee is done so with a legitimate purpose in line with the Regulation.
Your data controller, or the person responsible for those duties, will have to erase all links or copies to personal data where the subject withdraws their consent and there is no legal ground for your organisation to process it. In addition, you will also have to take action to notify others who are also processing data on your behalf. Data subjects can also object to the accuracy of their data, and pending an investigation have it removed under a provision called the “right to restriction”. All businesses should review their procedures for handling data erasing requests to ensure that they can meet their new obligations.
There is also an obligation for Organisations to maintain detailed records of processing activities. Organisations are now expected to ensure data privacy by design through “baking” data protection principles into all business processes from the outset. You must also undertake Data Protection impact assessments; that is a ‘risk assessment’ for high risk data processing, such as profiling, large scale data processing of special categories and large scale monitoring of public places.
Getting the GDPR wrong is going to cost
If you have not prepared for the GDPR, you will expose your organisation substantially, as organisations that fail to comply could face fines of up to €20 million or 4% of their global turnover.
Additionally, cases taken by individuals on the basis of a data protection breach currently only awards based on material damages. However, under the new GDPR this will extend the right to award for non-material losses and damages such as stress and reputational damage.