Ireland’s Data Protection Commissioner (DPC) has issued guidance for businesses and individuals who need to get to grips with the upcoming EU General Data Protection Regulation (GDPR) directive and its hefty fines.
GDPR is an EU directive that comes into full force on 25 May 2018, 15 months from now.
The GDPR has severe penalties for organisations that lose data – up to €20m, or 4pc of an organisation’s revenue.
For example, Tesco Bank in the UK suffered a data breach recently. Under the GDPR, which come into effect in 2018, Tesco would have been fined up to €1.8bn.
‘It is essential that all organisations immediately start preparing for the implementation of GDPR’
– DATA PROTECTION COMMISSIONER
A recent study by BT Ireland found that only a minority of CFOs in these organisations with 800 employees are aware of the upcoming EU regulations on data.
This suggests that in smaller companies and among sole traders, the chances of decision-makers being up to speed on the GDPR are much slimmer.
GDPR means robust powers and hefty fines
The DPC of Ireland, Helen Dixon, has published a new guide to understanding GDPR from the perspective of individuals and businesses.
The document is the first in a series that will run up to 25 May 2018, when the GDPR comes into effect.
The DPC points out that GDPR gives data protection authorities more robust powers to tackle non-compliance, including significant administrative fining capabilities of up to €20m (or 4pc of total annual global turnover, whichever is greater) for the most serious infringements.
The GDPR also makes it considerably easier for individuals to bring private claims against data controllers when their data privacy has been infringed, and allows data subjects who have suffered non-material damage as a result of an infringement to sue for compensation.
“It is essential that all organisations immediately start preparing for the implementation of GDPR by carrying out a “review and enhance” analysis of all current or envisaged processing in line with GDPR,” the DPC recommends.
“This will allow time to ensure that you have adequate procedures in place to deal with the improved transparency, accountability and individuals’ rights provisions, as well as optimising your approach to governance and how to manage data protection as a corporate issue. It is essential to start planning your approach to GDPR compliance as early as you can, and to ensure a cohesive approach amongst key people in your organisation.”