General Data Protection Regulation
On Friday May 25th 2018 GDPR came into force. Although the key principles of data protection don’t change, there are changes to the regulatory policies. Below, we look at the main changes we will now see in Irish Law.
The international scope and applicability of the GDPR are much broader than those of the Irish Data Protection Act, which has limited reach outside Ireland and the EU. The GDPR will apply to:
• All companies that process the data of Irish and EU residents, regardless of their location.
• All companies based in the EU involved in processing personal data, regardless of where the Data Subject lives.
• Companies that are based outside the EU but process the data of EU residents will have to appoint an EU representative.
Right of access
Individuals now have the right to request a copy of any personal data that Data Controllers may be holding about them, as well as confirmation of where this data is stored and the purpose for which it is processed. Data Controllers are obliged to provide a copy of the personal data, free of charge, in a format that is accessible to data subjects.
Under the GDPR, companies must be able to respond to and comply with subject access requests within one month, dropping significantly from the current 40-day limit.
Privacy by design
Organisations are obliged to incorporate data protection from the outset when designing new systems. Under the GDPR, data controllers and processors should only hold and process data when it is necessary for the completion of their duties. Access to personal data should also be limited within companies to those who need it to complete their processing.
Under the GDPR, individuals have the right to receive from data controllers a copy of their personal data “in a structured, commonly used and machine-readable format”. Individuals now also have the right to have their data sent to another organisation “without hindrance from the controller to which the personal data have been provided”. This right is already being acted upon in Ireland. A prime example is the new designated switching teams being developed by banks to allow you to easily switch provider. It is hoped this new right will encourage competition as organisations will have to comply with any requests made.
Under the GDPR, breach notifications will be mandatory “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Notification must be provided within 72 hours of first noticing the breach. Service providers are also obliged to notify the organisations involved “without undue delay” after becoming aware of a personal data breach.
The above is intended for information purposes only, and is not intended to be relied upon as legal advice Please contact us for advice specific to your needs. We, at Fitzsimons Redmond are happy to discuss with you any concern that you might have as to your privacy rights.
By Andrew Young, summer intern at Fitzsimons Redmond