The General Data Protection Regulation (GDPR) represents the most significant change in more than 20 years in how the data of identifiable individuals is handled. The GDPR was approved and came into force on April 27, 2016, and will become enforceable on May 25, 2018, from which date those organisations in non-compliance are subject to much increased sanctions including heavy fines. The GDPR harmonises data privacy laws across Europe into one regulation, imposes obligations on all business and increases individuals' rights in respect of data held about them by organisations. The GDPR applies to all organisations who gather, hold or process information about identifiable individuals resident within the EU. Allied to this, businesses that are not GDPR compliant may face significant fines of up to €20 million or four per cent of global turnover, whichever is greater.

Why GDPR is important for Engineers

The GDPR obliges all businesses to dramatically reform how they collect, handle, protect, store and dispose of clients’ and employee data including the requirement of being able to evidence compliance. Article 5 (2) states “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”. Below is a high level view of the steps that need to be considered. This is not exhaustive but an indication of the level of commitment and resources required to bring a company to a complaint standard and be able to evidence this when required.
  1. Awareness
    1. Ensure you, your staff, your suppliers, your processors are aware of their obligations under the GDPR. (Articles 5-50)
  2. Know and evidence what data you collect and how you process it. (Article 30)
    1. Make an inventory of all personal data you hold. Why do you hold it? Do you still need it? Is it safe?
  3. Ensure you are only collecting and processing the data absolutely necessary to perform the function. (Article 5 )
  4. Know and evidence how you protect and secure that data using technical and organisational measures (Articles 5, 32).
  5. Know and evidence how and with whom you share that data.
  6. Transparency (Articles 12-14)
    1. Businesses must ensure it is clear to clients and staff what data they collect and all processing performed upon it including sharing and retention periods (Article 30).
    2. Ensure all your legal notices and documentation are GDPR compliant. Documents such as Privacy Statements, Client information notices, details of processing and other data protection documents and policies.
    3. Review all your data privacy notices and make sure you keep service users fully informed about how you use their data.
  7. Basis of Processing (Articles 5-11)
    1. Know and be able to demonstrate what your legitimate basis of processing is.
    2. Are you relying on consent, legitimate interests or a legal enactment to collect and process the data? Do you meet the standards of the GDPR?.
    3. If your basis of processing is consent then you should review how you seek, obtain and record consent, and whether you need to make any changes to be GDPR ready.
  8. Can you facilitate individuals rights?
    1. Under the GDPR citizens’ rights over their data are enhanced and companies are obliged to be not only able to facilitate these but have evidence (policies and procedures) to support this.
      1. Article 13 & 14: Right to Be Informed ( do you process information about them)
      2. Article 15: Right to Access ( obtain a copy of all data you hold)
      3. Article 16: Right to Rectification (right to correct any erroneous data)
      4. Article 17: Right to Erasure (“Right to be Forgotten”)
      5. Article 18: Right to Restriction of Processing (to object to some or all processing activities)
      6. Article 19: Notification Obligation ( you must be able to notify them of you share the data with 3rd parties and likewise inform 3rd parties if you have changed the data or of changes to processing or consent have been made)
      7. Article 20: Right to Data Portability
      8. Article 21: Right to Object to Processing
      9. Article 22: Right to Object to Automated Individual Decision Making
      10. Article 7(3): Right to Withdraw Consent
  9. Policies and Procedures
    1. Have you got the required policies and procedures in place and are your current policies adequate and GDPR compliant – samples below
      1. Privacy statement, Consent, Data Protection, Data Breach Management, Data Security, Subjects rights, Privacy Impact Assessment
  10. Privacy by Design (Article 4, 25)
    1. Privacy by design is about putting the rights of individuals in relation to their data at the core of all data processing decisions. It means having documented processes in place to ensure that when changes to processing or new processing activities are contemplated involving personal data and where that processing may increase the risks to that personal data that Companies perform mandatory Data Protection Impact Assessments and implement and evidence any mitigating measures to protect personal data.
  11. Staff Training (Article 39)
    1. Companies must be able to demonstrate that all staff that are accessing information on data subjects are aware of their obligations under GDPR and have received training and instruction and the company must be able to evidence this

In conclusion

The most important provision of the GDPR is that all companies must be able to evidence compliance and not just state they are compliant. Prepare your organisation for the forthcoming changes to EU General Data Protection laws. On April 11, there will be a free-to-attend event at 22 Clyde Road, Ballsbridge, Dublin 4, which will also be webcast: GDPR - What engineers need to know. Remember - compliance is mandatory.

Useful links

www.gdpr.ie www.gdprtraining.ie http://gdprandyou.ie/wp-content/uploads/2017/05/The-GDPR-and-You-2.pdf GDPR.ie is part of The Data Protection Group and their CEO is Paul McCourtney. The Data Protection Group are expert and experienced legal, data protection and business professionals who have worked in the industry for over 30 years. The Data Protection Group provides industry leading, qualified, GDPR related Privacy and Compliance solutions to Professionals and Enterprises throughout Ireland and Europe.