The General Data Protection Regulation (GDPR) became law in Ireland on the 25th May 2018 replacing previous laws in relation to the protection of data.
This is a European Law which imposes significant fines on businesses who do not comply with it.
The principals of the GDPR are similar to previous data protection legislation. It requires businesses who store data regarding their customers or clients to examine:
- why they retain that information;
- how they obtained that information;
- why they originally gathered that information;
- how long will they retain it, whether it is secure and whether they ever intend to share it with others.
The current legislation requires that businesses must notify their clients or customers of the reasons:
- why they gather the data;
- what they will use it for;
- who they will disclose it to, and
- whether it will be transferred outside the E.U.
The GDPR goes further to impose an obligation on businesses to tell their clients and customers whether the data they collect will be subject to any automatic decision making, what their rights are under the GDPR and how they might complain.
Clients and customers are entitled to be provided with what information is recorded about them, to have any inaccuracies corrected, to have information erased if it is not necessary and to object to direct marketing.
You must respond to a request for access for information, which you hold, within one month and you cannot charge for the request unless you can demonstrate that the cost of complying would be excessive. You can refuse to comply with the request for information where it is very clearly excessive or the request is unfounded but you must be able to show clear refusal policies and procedures and explain the grounds for any refusal.
Businesses will need to obtain very clear consent from customers to the use of their personal data. They must know exactly what they are consenting to and they must take a particular step to consent i.e. they can’t be deemed to consent by not having taken a step.
The GDPR re-enforces the existing obligation to report a data breach to the Data Protection Commissioner and where the breach of data might bring harm to an individual (for example theft or breach of confidentiality) the person concerned must also be advised.
There are very heavy penalties for companies who fail to comply with the GDPR although it is unknown at that stage what, in practice, penalties will be employed.
SUGGESTED STEPS FOR OUR CLIENTS:
- Conduct an audit to establish what personal data you currently have, how you got it and how you store it.
- Develop a policy whereby you will erase any information where you do not have the specific consent of customers or clients to keep it or where you have no valid reason to keep it.
- Analyse your computer systems to establish how secure the information is and instruct your I.T. advisors to implement the appropriate security procedures.
- Seek the consent of your customers and clients to keep their information, setting out clearly what information you will keep, how long you will keep it for and what the reason for keeping it is.
- Arrange over a reasonable time to erase the data that you currently do not need.
In the context of data protection, data refers to any information whether electronic or paper which is stored in an ordered way and can be searched. It won’t apply, therefore, to unsorted historical physical documentation.