The EU General Data Protection Regulation (GDPR) will be introduced in May 2018 and will significantly change the legal requirements that must be met by any individual or organisation handling personal data of EU citizens. This EU Regulation will also effect Small and Medium Sized Enterprises so it is important that such businesses take the necessary steps to ensure they are prepared for the implementation of this new law. Compliance will be enforced by large fines of up to 20 million euros or 4% of a company’s global turnover. We deal with 5 steps that SMEs can take to reduce the risks to your business with the GDPR as follows:-
- Audit: If you control and are responsible for what happens to the personal data you hold, you are considered a data controller and it is advisable that you conduct an internal audit, to establish any areas that could cause compliance issues under GDPR. You should examine all personal data you hold and consider your reasons for holding the data, how you obtained the data and on what basis have you ever shared such data with third parties.
- Consent: Article 7 of the Regulation stipulates that the data controller must be able to demonstrate they obtained to consent to process an individual’s personal data. To ensure compliance with GDPR, you must consider if you are processing any personal data without consent and if so, you must seek written consent that is presented using clear and plain language in an easily accessible form.
- Access Requests: SMEs should review, and update if necessary, their procedures on how they handle access requests. The timeframe for handling access requests will be shorter than the current 40 days and you will not be able to charge for processing a request. Organisations must have a clear and precise refusal policy in place and must be able to prove that a request is unfounded or excessive.
- Data Breaches: GDPR will impose mandatory breach notifications on all organisations and SMEs should review whether they are equipped to detect, report and investigate a personal data breach. Most breaches must be reported to the DPC within 72 hours and must also be reported to the individual. Failure to report a breach within the specified timeframe can incur a fine, alongside a fine for the breach itself.
- Data Protection Officer: even if you are a small business but process a large amount of data, then you may need to employ a Data Protection Officer (DPO). A DPO takes responsibility for your data protection compliance and is sufficiently qualified to do so. A DPO should be easily accessible to the public and communicate to an individual information about their personal data.
At Patrick F O’Reilly our Data Protection and Privacy team have the knowledge and experience your business needs to deal with all legal issues surrounding the GDPR. If you wish to obtain advice please contact:-
Patricia Heavey, Partner at +353 (01) 6793565 or email firstname.lastname@example.org to make an appointment.