General Data Protection Regulation and What You Need To Prepare For

With the General Data Protection Regulation (GDPR) coming into force on 25th May 2018, many companies across a variety of sectors are beginning to prepare for it’s introduction. With this in mind, Quest attended a very informative data protection briefing Thursday, 30th March presented by Gemma Nolan of Mason Hayes & Curran.

While data protection rules and regulations have been in place previously, there are many changes that will need to be implemented during the grace period (now until May 2018) before the GDPR becomes law.

Terms you need to be familiar with:

Personal Data: This refers to any information relating to a living individual. This can include IP addresses and Cookie identifiers, as well as other basic information

Sensitive Personal Data: This includes race, religious/political beliefs, criminal offences, trade union membership etc.

Processing:  Doing anything with personal data.

Data Subject: The person about whom the data is written.

Data Controller: An individual [and/or others] who controls the contents and use of the personal data

Data Processor: An individual who processes personal data.

What changes need to be implemented?

There are a number of changes that need to be implemented going forward. This is covered extensively by the GDPR Guide, for which you can download here.  You should note that among the changes are increased obligations and consent, new enforcements in the case of breaches and the need for an increase in transparency for privacy notices.

What companies need to consider:

During the current grace or preparation period, companies will need to consider a number of items very seriously. For instance, is the company being transparent and obtaining consent? This will be required under law, meaning that a company will need to have a privacy policy documented across all capture points – for example, within the recruitment industry, a privacy policy will need to be positioned next to job application form fills.

Consideration will also need to be given to how long a company is retaining data for. Personal data should only be stored for as long as necessary. In this case, you will need a clear retention policy put in place.

Security is exceptionally important when holding personal data. Investment in high security procedures will be beneficial so that your data subject’s information is protected. Companies will also need to consider whether the data is being distributed to third parties and whether the data is leaving Europe.

Enforcement and Penalties:

It may seem severe, but the reality of the matter is that non-compliance can result in criminal conviction fines of up to €100,000. This also affects direct marketing in terms of subscriber consent with email marketing campaigns. These fines can rise as high as €5000 per email sent.

While some companies will tend to put GDPR on the long finger, the new changes that need to be implemented are extensive. It is therefore advised to start preparing for this immediately and to appoint a Data Protection Officer who will oversee the regulation.