6 things you need to know about Europe's new data protection laws

Irish companies will have to be in line with the regulations within two years.

By Philip Nolan Partner, Mason Hayes & Curran

THE GENERAL DATA Protection Regulation (GDPR) will come into will come into effect two years after it is published in the official journal of the EU.

This means that Irish companies must be in full compliance with the GDPR by 2018.

With that in mind, we look at six of the headline issues:

1. Data Protection Officers

Organisations whose core activities involve regular and systematic monitoring of individuals on a large scale, or involve processing large quantities of sensitive personal data, must appoint a data protection officers.

These officers must be experts in data protection law and privacy. They must also be able to act independently and report directly to senior management within organisations.

2. Increased penalties

For the first time, companies that breach data protection law can face fines calculated with reference to their annual turnover. Companies can be fined up to €20 million or 4% of annual global turnover, whichever is higher.

3. Privacy by design

Data controllers must ensure that privacy concerns are a key part of their decision making. The GDPR seeks to ensure that the privacy rights of data subjects are prioritised by data controllers when they make business decisions.

Controllers will have to carry out privacy impact assessments for any actions that may pose a high risk for data subjects’ privacy rights.

4. Consent

Data subjects must freely give specific, informed and unambiguous consent to the processing of their data. Where a data controller collects personal data for one specific purpose, the GDPR requires that data subjects give additional consent for each additional processing operation.

The GDPR also gives EU member states discretion to decide what the minimum age will be for data subjects to consent to processing of their personal data.

5. Data breaches

If a company suffers a data breach, the GDPR introduces a mandatory obligation to notify the local data protection authority without delay. The GDPR states that, when possible, companies should notify their local authority within 72 hours. When the data breach poses a high risk to the privacy rights of data subjects, affected data subjects must also be notified without undue delay.

6. One-stop shop

The principle that a company, established in one EU member state, should be subject to supervision by one local data protection authority is endorsed in the GDPR.

However, the GDPR introduces a complex ‘consistency mechanism’. This is a formalised consultation process where national authorities are obliged to consult with other ‘concerned’ DPAs if they are deciding on pan-European issues. A panel of authorities, called the European Data Protection Board, will also be empowered to overrule the decision of a national authority through a two-thirds vote.

There are many concepts in the GDPR that reflect current law. However, some requirements, like the appointment of a data protection officer, are new. These requirements will impose new and additional obligations on businesses. The GDPR also leaves a number of issues to the discretion of member states. We can expect further clarifications over the next two years as we move towards 2018.

Irish companies will have to dedicate time and resources to understand how they can comply with the new reality that the GDPR represents.

Philip Nolan is a partner and head of technology law at Mason Hayes & Curran.

If you want to share your opinion, advice or story, email opinion@fora.ie.