The General Data Protection Regulation (GDPR) will replace the previous European Directive on the 28th of May 2018.
Although it is a piece of European legislation, the Regulation will have “direct effect”, which means it will automatically become part of Irish law.
The Regulation will bring about a number of major changes to Data Protection law in Ireland and enhance the level of data protection for individuals across the continent.
Firstly the GDPR will place a much higher threshold on companies in obtaining consent from individuals to store and process their personal data.
Consent must be freely given, informed, specific and unambiguous. Moreover,the Regulation implies that it will require an affirmative act by individuals.
Therefore companies that wish to hold data will be required to have an ‘opt-in’ policy for the benefit of their customers.
The Regulation will also enhance the rights of individuals in obtaining copies of their data from companies.
The time for processing a data access request has been reduced to 30 days and will now be free of charge.
The GDPR also expressly recognises the right to be forgotten (that is to have your data deleted when no longer relevant) and the right to data portability (the right to have your data be easily accessible and transferable).
Companies will also have additional duties when there are victims of a security breach. Any data breach must be reported to the Data Protection Commissioner within 72 hours, and to the individuals concerned if it affects their privacy rights.
Any organisation that engages in regular and systematic monitoring of large amounts of data will be required to appoint a Data Protection Officer.
The GDPR allows for claims to be taken for material and non-material damages or breaches. A company may be fined for a breach for up to €20 million or 4% of annual turnover of the previous year.