On May 25, 2018, the EU's 1995 Data Protection Directive and all member state laws based on it were replaced by the GDPR (General Data Protection Regulation), a pan-European data protection regulation. The GDPR introduces a 21st-century approach to data protection with its significant and extensive scope. It gives people more control over how their personal data is gathered and processed and gives organisations (both controllers and processors) several additional requirements to be more accountable for data protection. The Data Protection Act of 2018 in Ireland, which took effect on May 25, 2018, complies with the GDPR's limited chances for member states to create provisions or derogations for how the Regulation applies in their nation.
Who is covered by the GDPR?
- Even if they are not EU citizens, all EU organisations that gather, store, or otherwise process the personal data of people who reside in the EU.
- Companies situated outside of the EU that provide goods or services to residents there, observe their behaviour, or handle their personal data.
GDPR requirements are:
1. Accountability and Governance
You must be able to demonstrate compliance with the GDPR. This includes:
- creating a system for governance with jobs and duties.
- keeping thorough records of each and every data processing operation.
- preserving policies and practises for data protection.
- conducting DPIAs (data protection impact assessments) for processing procedures that pose a high risk.
- putting in place the necessary safeguards to protect personal data.
- training for staff members' awareness.
- appointing a data protection officer as necessary.
2. The six data processing principles
Six data processing principles are outlined in the GDPR and must be followed by data controllers. Personal information must be:
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and, where necessary, kept up to date.
- Stored only as long as is necessary.
- Processed in a manner that ensures appropriate security.
3. Lawful processing
Personal data can only be treated in the following ways, with the exception of particular categories of data, which cannot be processed except in certain circumstances:
- If the data subject has given their consent
- To meet contractual obligations
- To comply with legal obligations
- To protect the data subject’s vital interests
- For tasks in the public interest
- For the legitimate interests of the organisation
4. Data subjects’ rights
Data subjects have:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object and
- Rights concerning automated decision-making and profiling.
5. Valid consent
There are stricter rules regarding consent:
- Freely granted, specific, informed, and unambiguous consent is required.
- A request for consent must be understandable and written in unambiguous terms.
- Consent will no longer be accepted in the form of inaction, pre-ticked boxes, or silence.
- Anytime can be used to revoke consent.
- Only with parental approval is a child's internet service consent legitimate.
- Organizations are required to provide proof of permission.
6. Data protection by design and by default
Data controllers and processors are required to put in place organisational and technical measures that are intended to effectively apply the data processing principles.
- The processing should incorporate the necessary safeguards.
- Any new procedure, system, or technological advancement must take data protection into account during the design phase.
- An essential component of privacy by design is a DPIA (data protection impact assessment).
7. Transparency and privacy notices
Organizations must be transparent about how, why, and who will process personal data.
- Data controllers are required to give data subjects a privacy notice when collecting personal information directly from them.
- Data controllers shall deliver a privacy notice without undue delay and within a month where personal data is not collected directly from data subjects. The first time they speak with the data subject, they must do this.
- Data controllers must decide how the data subjects will be informed for all processing activities and then write privacy notices accordingly. Notices may be given out gradually.
- Data subjects must get privacy notices in a clear, visible, and easily available format using plain English.
8. Data transfers outside the EU
After the transition period is through, many non-EU organisations that process the personal data of EU citizens must also appoint an EU representative.
- When a nation has been recognized by the EU as offering a sufficient level of data protection
- through standard contractual provisions or legally binding business practises
- by adhering to an accepted certification procedure.
9. Mandatory data breach notification
A breach of security that results in the unintentional or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that is transmitted, stored, or otherwise processed is referred to as a personal data breach under the GDPR.
- All breaches of personal data must be reported to data controllers by data processors.
- If there is a threat to the rights and freedoms of data subjects, data controllers are obligated to notify breaches to the supervisory authority (the Data Protection Commission (DPC) in Ireland) within 72 hours of becoming aware of them.
- If there is a significant risk to the rights and freedoms of the data subjects, they must be informed without undue delay.
10. DPOs (data protection officers)
You must be able to show that the GDPR is being followed. This comprises:
- establishing a system for governance with positions and duties
- maintaining a thorough log of all data processing activities
- maintaining policies and practises for data protection
- performing DPIAs (data protection impact assessments) for processing processes that pose a high risk
- putting in place the necessary safeguards to protect personal data
- whenever necessary, conducting staff awareness training and establishing a data protection officer