Helen Dixon is Ireland's Data Protection Commissioner, and in today's Irish Independent Adrian Weckler reports that she was "speaking at a seminar on Europe's upcoming data law which will introduce fines of up to €20m on companies which don't comply with tighter data protection rules, known as GDPR". Dixon is quoted as saying that with "May 2018 fast approaching I would urge businesses that now is the time to commence their GDPR-readiness activities". So I decided to take a quick look at what this GDPR is.
|Image source: Irish Computer Society.
A&L Goodbody provides a guide for businesses so that they can start taking steps now to prepare for implementation of the new rules. The first thing the GDPR does is broaden the definition of personal data and sensitive data, for example, to include genetic and biometric data. Businesses will be impacted by this. The GDPR also introduces a new concept of accountability, which requires data controllers to "be able to demonstrate how they comply with the data protection principle" - the business impact will be that organizations will have to "implement appropriate technical and organisational measures to demonstrate that their data processing is performed in accordance with the GDPR". Amongst other things, DPOs (Data Protection Officers) will have to be appointed in public bodies. In private companies DPOs will be needed where their "primary processing activities involve large-scale systematic monitoring of data subjects (e.g. companies carrying out online behavioural tracking or profiling activities as their core business); or involve large scale processing of sensitive data or data relating to criminal convictions (e.g. cloud companies, who store medical records or other sensitive data, as their core business)".
I would certainly echo the Data Protection Commissioner's warnings in this matter - GDPO is coming down the road and we all better be ready for it.