Time Is Running Out For Businesses – we can help you become GDPR compliant


Time Is Running Out – Is Your Business GDPR Ready?

If you haven’t already heard about the General Data Protection Regulation (GDPR), or you’ve heard of it but your organisation has yet to prepare for the upcoming changes in rules, now is the right time to start. GDPR is a complete overhaul of the legal requirements which much be met by anyone involved in handling personal data of EU citizens, this includes employee records, customer information and client databases.  The stated aim of the regulation is to give citizen’s greater control over what can be done with their personal data by businesses.

What Are The GDPR Fines Or Punishment?

So the focus is on the GDPR and the penalties for non-compliance are eye-watering

  • Infringement of Articles 5, 6, 7 and 9 carries a penalty fine of up to €20M or up to 4% of the total global revenue of the preceding year, whichever is greater.
  • Infringement of Articles 8,11, 25-39, 42 and 43 carries a penalty fine of up to €10M or up to 2% of total global revenue of the preceding year, whichever is greater

In summary, we know that the GDPR is coming, that it will become law in May 2018, that it is important, that it should not be ignored and that there will be some pain if we fall short.

You need to comply to the GDPR.

Summary of current laws on Data Protection.

The current laws on Data Protection are the Data Protection Acts of 1988 and 2003. Under those acts a Data Controller who obtains, stores and processes any data regarding a living individual on a computer or in a physical file is subject to the following obligations:

  1. To keep data secure at all times;
  2. To make sure data is kept accurate and up to date at all times;
  3. To ensure that the data maintained is relevant and not excessive;
  4. To obtain and process all data fairly;
  5. To retain data for one or more explicit and lawful uses;
  6. To use and disclose data in accordance with point 5 above;
  7. To retain data for no longer than necessary; and
  8. To furnish each data subject with a copy of their personal data on request.

When do the current laws on Data Protection change?

On the 25th of May 2018, the EU General Data Protection Regulation (“GDPR”) comes into force.  The GDPR will revamp and overhaul the existing Data Protection laws in Ireland and will repeal previous legislation in this regard namely the Data Protection Acts of 1988 and 2003.

What does this mean for you?

The GDPR will impose decidedly more obligations on enterprises and grant more rights in favour of data subjects/Individuals with respect to their data.

What specific obligations should you be aware of?

  1. Severe sanctions – Enterprises could potentially face fines of €20 million and 4% of total worldwide annual turnover for serious breaches.
  2. Consent – The GDPR will significantly raise the threshold for valid consent so that it is freely given, specific, informed and unambiguous.
  3. The definition of personal data is broadened to include online identifiers such as IP address, Cookies and RFID tags.
  4. Lawful Processing – The GDPR will make it harder for enterprises to fall within the existing justifications for processing data.
  5. Additional rights for Data subjects/Individuals – right to data portability, right to be forgotten, right to restrict the processing of date in certain circumstances and reduced timeframes for Data Protection requests.
  6. Mandatory obligation to designate a Data Protection Officer for certain organisations.
  7. Data Processors will be regulated and can be liable for claims taken by Data subjects/Individuals and for sanctions in terms of breaches of GDPR.
  8. GDPR requires a data controller to notify the Data Protection Commissioner of any breach without undue delay and within 72 hours where feasible, and in the case of Data subjects/Individuals without undue delay where there are risks to their rights and freedoms.
  9. The narrative of accountability permeates the GDPR. Organisations are required to implement data protection “by design” and “by default” which requires taking data protection risks into account when creating all new processes, products, and services.
  10. GDPR will apply to any enterprise which processes the personal data of Data subjects/Individuals of EU Citizens whether established in the EU or not.

What GDPR services do we offer?

At Gibson & Associates, our Solicitors have expertise in all aspects of Cyber & Privacy Laws, Reputation Management, and Data Protection Laws. We advise on compliance including conducting audits, drafting and redrafting of relevant contracts,  policies & procedures, data protection requests and the lawful use of image capture technology and other processing equipment.

  1. GDPR Health Check:

Following receipt of our completed pre-audit questionnaire, the GDPR Health Check phase can commence. This first phase is essentially an audit/risk assessment. It requires the identification of the scope and nature of your company, its business and data lifecycle from the entry point to exit/destruction.  We will also need to conduct a number of interviews along with auditing systems, processes and policies.  The areas to be covered by the audit and those specifically not covered need to be identified in the pre-audit questionnaire (e.g. finance, HR, etc.).

  1. The path to GDPR Compliance:

The output of this exercise is in response to the GDPR Health Check.  This phase will take the form of a recommendations Report or action plan to provide a path to become GDPR compliant.  This Report will list out the actions which should be taken, and where possible, a chronology of those actions.  It will also highlight how these actions, once taken, will bring compliance.  It will further highlight the risks associated with not implementing them.

  1. Drafting/Amending of GDPR Procedures & Policies:

This phase requires the completion of the GDPR Health Check and Path to GDPR Compliance.  The Path to GDPR Compliance phase will have identified what needs to be done in terms of processes, procedure, and policy.  The GDPR Health Check and Path to GDPR Compliance will have identified what needs to be reviewed and updated, or created, etc.  This phase may also be expanded to include the drafting/amending of existing employee/data processor contracts in light of GDPR.

  1. Outsourcing of DPO ROLE:

This option involves the outsourcing of the role of Data Protection Officer.  The outputs of this service will be the same as those of an internal DPO, save for the likelihood that this service will be provided in a more focused time period which of course is subject to your needs/preferences. It may be the case that this service is only necessary for a limited period.

What additional services do we provide for Data Controllers/Data Processors?

The preparation of responses to requests under Data Protection Acts 1988 & 2003 or GDPR.

The preparation of responses to complaints from the Data Protection Commissioner.

The appealing of Enforcement Notices in Circuit Court served by the Data Protection Commissioner.


What additional services do we provide for Data subjects/Individuals?

Reputation Management.

Carrying out requests under Data Protection Acts 1988 & 2003 or GDPR.

Carrying out of complaints to the Data Protection Commissioner.

Advice on the right to Privacy under the Irish Constitution.

If you want to make sure your business is data compliant – make an enquiry below, and we will contact you back