Your Business and the European General Data Protection Regulation (“GDPR”)
Whether we like it or not data protection impacts every business, no matter the size, and, if you own or manage a company, your obligations are about to get much more onerous. Already in force, compliance with the European General Data Protection Regulation (“GDPR”) will be mandatory from 25 May 2018. This means that every company must be compliant by that date – which means every company should be taking steps now to ensure compliance. To review our 10 Step Guide to Start Preparing your Business for the GDPR click here.
Why should I care?
Cybercrime is currently estimated to be a $400 billion per annum industry and this is only expected to rise – so every company’s obligation to keep the data it collects/processes on behalf of others safe and secure is more important than ever.
More and more companies are being prosecuted for their breaches of data protection, as evidenced by the recent successful prosecutions against Paddy Power-Betfair, Topaz, Trailfinders and Dermaface.
Given the potentially debilitating sanctions for a breach of data protection under the GDPR, no business can afford to ignore its obligations; if the Tesco Bank raid (in which €2.8 million was stolen from online customers) occurred after the GDPR came into force rather than before, Tesco could have been liable to a penalty of up to £1.9 billion sterling.
What is data protection?
Every day, businesses collect, process and possibly use data (both personal and sensitive personal data) relating to customers, clients, employees and other third parties both by manual and automated means. How your company collects, stores and uses that information is regulated by the Data Protection Acts and now the GDPR and the definitions of personal and sensitive personal data have been broadened under the GDPR.
Data Controller or Data Processor?
If your company keeps and is responsible for data that it collects, it is categorised as a “data controller” and currently owes a duty to protect that personal data. It may be subject to a sanction for breaching those duties. If your company holds or processes data but has no control or responsibility over it, it is a “data processor” and, although currently its obligations may be limited, under the GDPR a data processor will owe a higher duty to protect that personal data and will be subject to sanctions for any breach of that duty.
It is likely that, as the standard expected of “data processors” increases, there will not be as much emphasis on the distinction between data controllers and data processors.
My business is outside the EU/EEA, will the GDPR affect me?
If you want to provide goods or services within the EU/EEA, or your business monitors citizens with the EU/EEA, then you must comply with the GDPR. For example, if a China-based organisation is trying to offer services to a person in Ireland (not only if a transaction is made), they must comply with the GDPR.
The GDPR significantly increases fines for breaches of data protection. An organisation may be fined up to €20,000,000 or 4% of its annual global turnover or, for lesser breaches, €10,000,000 and 2% of annual global turnover. To put that in context, Paddy Power-Betfair’s annual turnover for 2015 was €8.6 billion – a potential fine of 4%, or €336m, is significant!
The GDPR also formalises EU case law and shall allow a data subject to be compensated for any breach concerning their data – this is contrary to the current position in Ireland and a person will no longer need to show they have suffered a loss to make a claim for damages. This is likely to see a large increase in litigation for breaches large and small.