GDPR (General Data Protection Regulation)

The European General Data Protection Regulation (GDPR) replaces the existing Data Protection Directive and comes into force with immediate effect in May 2018. This Regulation applies to data controllers or data processors that keep or process any information about living people referred to as data subjects. If you are presently required to comply with the Data Protection Acts (DPA) then GDPR will also apply. The GDPR enhances the rights and principles already defined in the Directive and the DPA however it also introduces some more significant changes such as:

  • A requirement to actively demonstrate compliance and document processing activities; 
  • Greater powers for supervisory authorities and increased reliefs available to data subjects. The Office of the Data Protection Commissioner(ODPC) will have the ability to issue fines for non-compliance for up to €10M or 2% of global turnover (whichever is the greater) for serious breaches and up to €20M or 4% of global turnover (whichever is the greater) for extremely serious breaches; 
  • Mandatory reporting of data privacy breaches to the appropriate supervisory authority; 
  • Introduction of ‘privacy by design’ as a concept when developing, designing, selecting and using applications, services and products that are based on the processing of personal data; 
  • Requirement to complete Privacy Impact Assessments (PIAs) for change activity where there is a “high risk to the rights and freedoms” of the data subject or where processing is likely to be carried out on a large scale.

The ODPC in Ireland has urged organisations to begin preparing for GDPR without delay and to carry out a review of all current and envisaged processing activity. This is complemented by guidance from other supervisory bodies such as the Information Commissioners Office (ICO) in the UK who have advised organisations to consider the following: information you hold; awareness and communication; rights of individuals; data subjects access requests; legal basis for processing; consent; processing of children’s data; data breach reporting; privacy by design and PIA’s; data transfers and appointment of Data Protection Officers (DPO’s).

Integrity360 data privacy specialists can assist organisations with their preparations through the following services:

  • Awareness Workshop 
  • GDPR high level Readiness Assessment 
  • GDPR detailed Gap Analysis 
  • Data Flow Mapping 
  • Data Lifecycle 
  • Documentation Development 
  • Data Protection Control Framework 
  • Privacy Impact Assessments 
  • DPO as a Service