Countdown to GDPR
When does the GDPR come into effect??
Published in May 2016, it comes into effect on May 25th 2018, and as its an EU Regulation it doesn’t need to be separately signed into Irish law.
What exactly is is the GDPR?
The General Data Protection Regulation (GDPR) is a new regulation that applies to all organisations, regardless of size and so that includes Small & Medium Enterprises (SMEs).
It is in ways similar to the current Data Protection Acts 1988 and 2003 (the Acts), so if your business is compliant today, then much should remain the same under the GDPR – but of course there are changes too!
The GDPR introduces new requirements and amendments that mean you will need to look in detail at how your business collects and manages people’s personal data.
What benefits does the GDPR bring to Irish SMEs?
The GDPR should be seen as a positive move, it requires some preparation up front but brings the following benefits:
- It gives individuals residing in the EU more control over their data.
- It makes it simpler for businesses to do business across the EU.
- It gives consumers confidence that their private data will be respected and controlled
What does it change for an Irish SME?
The GDPR changes how personal data, that your business may have collected from private individuals or clients, is controlled. It moves the right to control from the business over to the individuals themselves.
Individuals will now be able to specify and control which businesses can store and use their data. They can ask for that data to be removed, sent back to them or corrected if there are errors.
What does an Irish SME need to do to Prepare?
The Irish Data Protection Commissioner recommends carrying out a “review and enhance” analysis of all current or envisaged processing in line with GDPR. Basically you need to take some time and review your operation, covering the following areas for example:
- Carry out Staff Awareness Training – anyone handling customer data is impacted
- Check all contracts or letters or engagement with GDPR in mind
- Review your Policies & Procedures for the storing and handling confidential customer data
- Audit your IT Systems for compliance and risk to private data
- Consider if you need to assign a Data Protection Officer – part time or full time
What are some questions to consider going forward?
- If you use Customer Consent today to record data – are you managing that process properly?
- How will you manage Data Requests from people asking to delete or amend their data?
- If there is a Data Breach, how will you deal with that and make sure staff can too?
- Do you need a permanent Data Protection Officer, how would you recruit or train up for that role?
- How will you manage Cross Border Processing if applicable?
- Properly manage if you use Customer Consent today to record Customer Data
- Do you need a DPIA – yes if your project is “likely to result in a high risk to the rights and freedoms of natural persons”
Are there any exemptions for Irish SMEs?
There are a few points to consider that can mitigate the full weight of GDPR on your SME business:
You don’t need to have a full time Data Protection Officer if:
- Your business does not process large amounts of data or does not handle special categories of data like information relating to criminal convictions or to ethnic or racial origin for example.
You don’t need to keep specific records of data processing if:
- Processing data is not a regular activity and is not likely to result in a risk for the rights and freedoms of the data subject.
You are required to report all data breaches unless:
- “…the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
What are the consequences of GDPR for an Irish SME?
Along with the benefits to consumers there are consequences if business fail to comply:
- For serious infringements, penalties up to €20,000,000 (or 4% of total annual global turnover, whichever is higher)
- GDPR makes it much easier for individuals to to bring private legal action if their data privacy has been breached.
- It also now allows individuals to sue for compensation if they have suffered non-material damage.
What next steps can you take as an Irish SME?
Get ahead of the game – according to the ISME 70% of their members have not identified steps/actions that will need to take place to be GDPR compliant.
Use the resources of the Data Protection Commisioner to get detailed information on GDPR. Then carry out your review and put your Action Plan in place – ready for May 25th.
If you feel you need more help Contact Us today to see how a tailored GDPR Improvement Plan for your business can quickly set your mind at ease.
No information contained in this post should be construed as legal advice from Spotlight Business Improvement or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter.