As your inbox is taken over by GDPR circulars you may wonder what is this all about? You will be forgiven for thinking that this is the biggest thing to happen since the Y2K bug and be scared at the prospect of what will be required in order to comply.
We have had Data Protection Law in Ireland for the past 30 years. The Data Protection Act 1988 was updated in 2003 with the enactment of the Data Protection Act 2003. GDPR is The General Data Protection Regulation. It is an EU regulation on data protection and privacy for all individuals.
INDIVIDUALS
Put simply, the regulation puts an onus on organisations to account to you for the manner in which they collect and use your personal information.
Individuals have, since 1988, a right to personal information held by an organisation and a right to know who that information is shared with and a right to have this information corrected if it is inaccurate. This continues to be the case. GDPR adds to these rights with the introduction of “a right to be forgotten”. You have a right to have your information erased in certain circumstances.
You may wonder why you are receiving so many “GDPR consent emails”? If an organisation already has your consent to send you marketing emails, it needn’t send you emails asking for your consent now under GDPR. Many are doing this as a marketing exercise. If you did not consent to these emails in the first place, then it may be a breach of GDPR for the organisation to send them to you now but at least it gives you an opportunity to opt out and withdraw consent if you no longer wish to receive such emails.
ORGANISATIONS
If you are an organisation in fear of receiving data requests under GDPR then don’t be. If you were compliant with Data Protection Law prior to GDPR then you continue to be compliant.
GDPR imposes stricter time limits within which an organisation must comply with data requests and stricter penalties for non compliance and data breaches.
If you receive a data request under GDPR, you must comply with it within one month (you had 40 days to do so under the old law) and you face sanction and penalties for failure to comply. The biggest change that GDPR brings for your organisation is the mandatory duty to report a data breach within 72 hours.
The nub of the issue for organisations is “Do you have consent to use this information for the purpose you are now using it?”. If yes, there is no issue and you are entitled to continue to rely on that consent. You do not need to obtain a fresh consent. Even if you do not have express consent you may still be legally entitled to process the information on foot of a contract or statutory authority.
There are lots of rumours and myths surrounding GDPR and what needs to be done in order to comply with it. In reality, you must be responsible and respectful with regard to information you hold relating to individuals and the way in which you use it and share it.
Featured image Pixabay.com/The Digital Artist