While the GDPR enhances rights for consumers, it also introduces new obligations for businesses. Failure to comply with data protection obligations now has serious consequences for business in that the Data Protection Commission has serious teeth and can levy fines of up to €20 million or 4% of global turnover, whichever is greater. Consumers now also have enhanced rights to claim compensation for damages if their data protection rights are infringed. Accordingly, it is very important that you review your insurance in your business immediately to ensure that you have appropriate cyber and data protection liability cover in place.
In addition, there is the massive reputational damage that can flow from a failure to comply with the GDPR. If nothing else, consumers are now more and more aware of their rights and will expect to see that the businesses they deal with respect those rights. So, while there are risks and challenges associated with becoming GDPR compliant, you can also turn GDPR compliance into a very positive thing for your business.
There is a lot to the GDPR and there is no way we can cover everything that you need to know on GDPR in your business here. So, what we will do is outline some of the new enhanced obligations that GDPR has created for businesses. These include:
- The obligation to ensure a lawful basis for the processing of data and to provide information to the people who are the subject of the data – you can only hold data if you have a lawful basis for doing so in the first place. And when you do hold data the GDPR sets down very specific requirements on the information that you must provide to the people the subject of that data. This means you need to review your privacy notices on your website and the information that you provide to people when they start to do business with you. And of course, if you have employees, you must provide every employee with similar information about any data you hold on behalf of them. The GDPR imposes stricter requirements for sensitive data, that is data relating to health or medical matters, race, ethnicity, political opinions, criminal convictions, etc.
- The obligation to use processors that meet the requirements of the legislation – whenever you transfer data out of your business you need to ensure that the people you are transferring it to will be compliant and that you have a suitable written legal agreement in place with them before you make the transfer. This includes anyone who has access to your business from outside.
- The obligation to keep data secure and to report data breaches. One of the biggest changes brought about by the GDPR is the introduction of the mandatory requirement to report data breaches to the Data Protection Commission within 72 hours of becoming aware of the breach. These requirements highlight the importance of ensuring that your physical and cyber security measures are up to standard.
- The obligation to appoint data protection officers – the GDPR introduces the requirement to appoint a Data Protection Officer (DPO). Not all businesses will need to appoint a DPO but those coming within the criteria must do so and then publish the contact details of the DPO and notify the Data Protection Commission. A DPO must have appropriate expertise in data protection law and practice. You should be aware that once appointed a DPO can never be given instructions in relation to their data protection tasks and can never be dismissed for carrying out those tasks. Therefore, the DPO is a protected category of employment and any business should think carefully about whether they need to appoint a DPO and, if so, who to appoint.
- The obligations relating to transferring data outside the EU – data cannot be transferred outside of the EU without adequate safeguards in place. There are a number of methods by which this can be achieved with the most common being the use of what are called Model Contract Clauses prepared by the European Council for this purpose. Where you transfer data in your business outside of the EU you should ensure that appropriate safeguards are in place and documented. This is particularly important when you use any cloud computing applications in your business. If you are using the cloud you should establish where that data is located in the cloud and, if it is transferred outside of the EU, that adequate safeguards are in place.
- Finally, while most of our clients are based in Ireland, if your business is based outside of the EU (and, of course, the UK may well come into this category from March 2019) and your business does not have a physical establishment in the EU, you must appoint a representative in the EU for your business as a point of contact for data subjects and regulatory authorities in the EU.
Contact our GDRP lawyers for advice on compliance
If you would like to find out more about how to ensure that your business is compliant with GDPR or if you need a GDPR Article 27 Representative in the EU for your business, please contact us.