GDPR: Five key changes to look out for from right of access to right to be forgotten
Sharon O’Reilly, IT Governance Europe will be a speaker at Ireland’s GDPR conference Dublin Data Sec 2018.
The second annual data protection conference Dublin Data Sec 2018, with keynote speaker the Data Protection Commissioner (DPC) for Ireland Helen Dixon will take place on Monday April 9th in the RDS Concert Hall.
With just over three months to go until the new European General Data Protection Regulation comes into effect, what changes we will see in Ireland? Although the key principles of data protection won’t change, there will be changes to the regulatory policies. Here are five areas to focus on.
The territorial scope and applicability of the GDPR are much broader than those of the Irish Data Protection Act, which has limited reach outside Ireland and the EU.
The GDPR will apply to:
- All companies that process the data of Irish and EU residents, regardless of their location.
- All companies based in the EU involved in processing personal data, regardless of where the individuals (referred to as data subjects in the Regulation) live.
- Companies that are based outside the EU, but process the data of EU residents (regardless of whether the processing takes place within Europe or not) will have to appoint an EU representative.
2. Right of access
Individuals now have the right to request a copy of any personal data that organisations (data controllers in the Regulation) may be holding about them, as well as confirmation of where the data is stored and the purpose for which it is processed. Organisations and service providers (data processors in the Regulation) are obliged to provide a copy of the personal data, free of charge, in a format that is accessible to data subjects. Under the GDPR, companies must be able to respond to and comply with subject access requests within one month, dropping significantly from the current 40-day limit.
3. Right to be forgotten
The right to erasure (‘right to be forgotten’) entitles data subjects to have their data erased by a controller without undue delay. Controllers must no longer disseminate the individual’s data, and in some cases organisations will be required to ask third parties to stop processing individual’s data. When this right is invoked, organisations are able to retain data “for archiving purposes in the public interest”
5. Privacy by design
Organisations are obliged to incorporate data protection from the outset when designing new systems. Specifically, “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
Under the GDPR, data controllers and processors should only hold and process data when it is absolutely necessary for the completion of their duties.
Access to personal data access should also be limited within companies to those who need it to complete their processing.
5. Breach notification
Under the GDPR, breach notifications will be mandatory “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Notification must be provided within 72 hours of first noticing the breach. Service providers are also obliged to notify the organisations involved “without undue delay” after becoming aware of a personal data breach.
Sharon O’Reilly is GRC/GDPR Consultant with IT Governance Europe.
With the deadline for the General Data Protection Regulation (GDPR) fast approaching, and the increasing risk of cyber attacks, Dublin Data Sec 2018 will guide businesses and organisations through the necessary steps to compliance with a focus on transparency, security and accountability.