Under GDPR there are now new requirements in terms of who is responsible for data and how it is controlled, how potential data breaches should be notified and there are harsher penalties for any non-compliance
Data Protection Officer
The Data Protection Officer is accountable for demonstrating compliance with GDPR principles and businesses will need to:
- Implement measures to ensure and demonstrate compliance;
- Maintain documentation/records on processing activities;
- Where appropriate appoint a Data Protection Officer (DPO);
- Use data protection impact assessments (DPIA).
If an organisation has more than 250 employees, employers must also maintain additional internal records of their processing activities. For those under 250 employees, they are only required to maintain records of activities related to higher risk processing. This includes:
- Processing personal data that could result in a risk to the rights and freedoms of individual; or
- Processing of special categories of data or criminal convictions and offences.
Data breach notification requirements
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. It may include;
- Inappropriate access controls (not using passcodes) which allow unauthorised use;
- Equipment failure;
- Human error;
- Unforeseen circumstances such as fire/flood;
- Hacking attack.
A breach must be reported within 72 hours of its discovery and employers will be permitted to provide information in phases where a full investigation is not possible within that timeframe.
It is likely that employers will need to have a policy on reporting breaches under GDPR. All those within an organisation who are responsible for complying with GDPR will have to be aware of the circumstances under which a breach must be notified, and how it must be done.
In some cases, the individual whose data is involved in the breach must also be notified i.e. where the breach is likely to result in a high risk to the rights and freedoms of individuals.
Fine and penalties for non-compliance
A maximum fine of up to €10 million or 2% of global turnover (whichever is greater) can be applied where the following occurs:
- Failure to maintain records of processing activities;
- Failure to appoint a DPO;
- Processing data without consent of the data subject;
- Failure to notify a breach to the supervisory authority or the data subject;
- Failure to carry out a data protection impact assessment in relation to high-risk processing of personal data.
A maximum fine of up to €20 million or 4% of global turnover (whichever is greater) can be applied where the following occurs:
- Failure to provide data subjects with transparent information in a concise, intelligible and easily accessible form for the existence of their rights under GDPR;
- Failure to demonstrate that the data subject has consented to the processing of his/her data;
- Failure to comply with the rights of access, rectification, and erasure;
The above lists are not exhaustive.