What do companies need to do?

Transcription

1 Briefing GDPR The General Data Protection Regulation ( GDPR ) will come into effect on 25 May The GDPR will replace the existing data protection laws in all EU member states and is designed to result in a single, uniform set of data protection rules applying across the EU. This briefing was produced by the Institute of Directors in association with McCann FitzGerald for use in Ireland. McCann FitzGerald is one of Ireland s premier law firms, providing a full range of legal services to many of Ireland s leading businesses. Clients include international organisations, major domestic concerns, emerging Irish companies and clients in the State and semi-state sectors. Although many of the provisions of the GDPR are broadly similar to those contained in the existing data protection framework, there are a number of new and more onerous requirements. Between now and 25 May 2018 companies will need to examine existing data processing, review their data protection policies, procedures and controls and identify any gaps that need to be addressed. Following from this, companies will need to implement any changes required to demonstrate compliance with the GDPR. What do companies need to do? If not yet commenced, start the compliance review now: As it is now less than a year until the GDPR comes into effect, companies should be reviewing their data processing operations and their data protection policies and procedures and should start to implement any required changes. There is a particular emphasis under the GDPR to be able to demonstrate compliance. The GDPR will therefore increase the need for proper internal governance. While the GDPR removes the registration obligation many organisations are currently subject to, this is replaced with an obligation to adopt internal policies demonstrating compliance, for example by producing data inventories, general data protection policies, specific policies on security and Data Privacy Impact Assessments. 1 mccann fitzgerald

2 Consider whether data collected and used is necessary, relevant and proportionate: Companies should consider the life cycle of data, from collection to deletion, when considering whether their data processing is necessary, relevant and proportionate and when updating their data protection policies. Revised Data Protection Notices with more detail: A company s data protection notice will need to provide more detailed information, for example, in relation to retention periods, the right to withdraw consent, the legitimate interest being relied on, and data subject rights. When considering the legal basis upon which personal data will be processed, companies should be cognisant of the fact that under the GDPR, consent must be freely given, specific, informed and unambiguous, it should not be bundled with other consents, and individuals have the right to withdraw consent at any time. Companies should also understand the increased rights of data subjects and incorporate these into their policies and procedures. Contracts with service providers/data processors: Companies contracts with their data processors will need to include more detailed clauses in relation to data protection. Companies should review and update their contracts governing the processing of personal data to be in compliance with the GDPR. Data Protection Impact Assessments: The GDPR focuses on concepts such as privacy by default and privacy by design. It also envisages data protection impact assessments ( DPIAs ) being carried out where the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons. Companies will therefore need to become familiar with the process of carrying out DPIAs under the GDPR. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with ways to mitigate such issues. DPIAs will be mandatory in particular where the organisation carries out systematic and extensive evaluation of individuals based on automated processing (profiling), large scale processing of special categories of data and personal data relating to criminal convictions and offences, or systematic monitoring of public areas on a large scale. Appointment of Data Protection Officers: Companies should consider whether they need to appoint a Data Protection Officer. The GDPR will require certain organisations to designate a DPO. Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, and organisations who process what is currently known as sensitive personal data (e.g. health data, data as to the commission of offences etc) on a large scale. Responsibilities of a DPO include monitoring compliance, advising on DPIAs, and acting as the contact point for the supervisory authority on issues relating to processing. The DPO must act independently and avoid conflict of interests. 2 mccann fitzgerald

3 Ensuring awareness of GDPR obligations: It is essential that a company s staff are aware of the impact of GDPR on their business. The importance of having senior buy in in preparing for the GDPR cannot be overstated. Companies should not delay in preparing for GDPR and becoming GDPRcompliant, as to do otherwise may leave the company open to significant sanctions under the GDPR. Why should directors care about GDPR? Potential Significant Fines: It will be particularly important for companies to ensure that they are GDPR compliant given the potential penalties under the GDPR regime, which include administrative fines of up to 4% of annual worldwide turnover or 20 million (whichever is the greater). These fines may be levied directly by the relevant data protection authority and fines will be set at a level to ensure that they are effective, proportionate and dissuasive. Other Significant Sanctions: In addition to administrative fines, there are several other sanctions which a noncompliant company could face under the GDPR. The Data Protection Commission will have the power to order companies to bring their processing operations into compliance. A non-compliant company could also face (i) an order to rectify or erase non-compliant data, (ii) a temporary or permanent ban on non-compliant processing, and (iii) a suspension of international data flows. Potential Increase in Data Protection Litigation: Directors should be aware that companies may face an increase in litigation if they are non-compliant. Under the GDPR each data subject will have the right to an effective judicial remedy where they consider that their rights under the GDPR have been infringed. This means that data subjects may make claims for breaches of their data protection rights. Claims may also be made by not-for-profit bodies on behalf of data subjects. Any person who has suffered material or non-material damage as a result of an infringement of the GDPR will have the right to receive compensation from the company which has breached their data protection rights for the damage suffered. Litigation costs and compensation payments are likely to increase company expenses and liabilities. 3 mccann fitzgerald

4 Personal Liability of Directors and other Officers: The General Scheme of the Irish Data Protection Bill 2017 was published on 12 May 2017 and includes potential personal liability for directors and officers of companies. The Bill is intended to be the main Irish legislative instrument that will give effect to, or provide for exemptions from, certain provisions of the GDPR. Notably, directors, managers, secretaries and other officers of a company may also be found guilty of offences committed by that company, where the offence was committed with that individual s consent, connivance or neglect. The potential offences that may arise under the Data Protection Bill include failing to comply with an enforcement notice issued by the new Data Protection Commission or the disclosure by a processor of personal data being processed on behalf of a controller without that controller s authorisation. Impact on Corporate Transactions Potential Reduction in Company Valuation: Directors should be aware that the new data protection regime under GDPR is also likely to have an impact on corporate transactions. Until recently, non-compliance with data protection obligations has rarely been raised as a red flag issue in corporate transactions. However, it will now have the potential to be a deal breaker or to have a material impact on price. 4 mccann fitzgerald

5 For further information on this, or related topics please contact the authors Paul Lavery Partner, Head of Technology & Innovation paul.lavery@ Adam Finlay Partner, Technology & Innovation adam.finlay@ Annette Hogan Consultant, Technology & Innovation annette.hogan@ Alternatively, your usual contact in McCann FitzGerald will be happy to help your further. McCann FitzGerald and Institute of Directors in Ireland All rights reserved. Institute of Directors in Ireland, Europa House, Harcourt Street, Dublin info@iodireland.ie This document is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed. McCann FitzGerald, July 2017