29 March 2018
    
IN THIS ISSUE
Quintas Newsletter
Introduction
Returning to the workforce
Time is nearly up - Businesses have mere weeks to comply with the General Data Protection Regulation (“GDPR”)
Alternative types of Finance
Changes to how Revenue deal with underpayment of PAYE
Recent News
    
 
send
subscribe
feedback
 
    
    
CONTACT
Heron House,
Blackpool Park,
Blackpool,
Cork.

tel: +353 21 4641400
web: www.quintas.ie

    
    
    
Time is nearly up - Businesses have mere weeks to comply with the General Data Protection Regulation (“GDPR”)
by Joan Bourke, Legal & Compliance Officer
 

The clocks moved forward this weekend edging us that bit closer to the GDPR deadline of the 25th May 2018. Data Protection is certainly a hot topic with Cambridge Analytica and Facebook dominating recent news headlines where Cambridge Analytica, a big data company focused on political and commercial ad campaigns, illegally used the personal information of 50 million Facebook users. This company apparently masterminded Donald Trump’s surprise win in the 2016 U.S. presidential election and has been accused of playing a role behind the scenes of the Brexit referendum in 2016 by targeting potential swing voters. Facebook is under fire for not protecting Facebook users’ personal data better. Facebook’s Cambridge Analytica data debacle has been damaging to the company. Recently its market value fell by nearly $50 billion.

What we are seeing is just the tip of the iceberg! Facebook CEO Mark Zuckerberg said he expects there are other companies alongside Cambridge Analytica which may have abused their access to large amounts of Facebook user data.

Individual’s personal information is now arguably the world's most valuable commodity. Huge amounts of data are controlled by just a privileged few mega-corporations such as Apple, Amazon, Facebook, Microsoft and Google's parent company Alphabet. Jurisdictions have been struggling to contain, regulate and protect personal data. The GDPR is set to radically change the way that all organisations manage individuals’ personal data with the biggest reform in data protection law for over 20 years. It is a welcome piece of legislation to protect personal data from misuse and to ensure that personal data is not used for corporates to profit from, without our explicit and informed consent.

You may be asking yourself does the GDPR apply to my business or is it just the big tech giants like Facebook. It applies to all public, private and voluntary organisations of every size. If you have a business where you hold personal data such as client data and/or employee data then the GDPR applies to you.

The focus of the GDPR is on protecting the individual’s personal data. Personal data is defined broadly to cover any information that can be used to directly or indirectly identify a person. The GDPR is applicable to data controllers and data processors. A data controller is any person or body which collects data and determines how that data is to be processed, for example an employer. Data processors are persons or bodies which process the data on behalf of the controller, for example a payroll company. A business may be both a data controller and a data processor.

Some of the key changes that are implemented by GDPR include:

  1. Record keeping - Organisations will be required to keep records of the data they process, why they process it, for how long they process it and the legal basis for which they process it.
  2. Notification of breaches - Data breaches that impact on privacy will have to be notified to the Office of the Data Protection Commissioner (the “ODPC”) and any individuals that are affected within 72 hours of the occurrence of the breach. Failure to report a breach could result in a fine as well as a fine for the breach itself.
  3. Transparency – There are increased obligations to be fully transparent about how we are using and safeguarding personal data, and to be able to demonstrate accountability for data processing activities. The GDPR sets out the information that must be given to data subjects at the point of collection of the data. Privacy policies will need to be updated. Individuals must be told about what personal data is processed, why it is processed, the lawful basis for processing it, how long it will be retained for, who it might be shared with and what measures will be implemented to protect the data.
  4. Consent - The GDPR introduces new conditions as to how to obtain a valid consent. Consent to the processing must be given by a clear affirmative action in order to be compliant. Data subjects must be given an easy way to withdraw their consent at any time.
  5. Right to access - Data subjects have a right to access their data. The time limit for responding to such requests will be reduced from 40 days to within one month. Controllers will not be able to charge for processing an access request.
  6. Right to be forgotten/ Right to erasure - The GDPR introduces the right to seek erasure of personal data concerning them without undue delay.
  7. Right to data portability - Individuals will be allowed to receive a copy of their personal data in a structured, commonly used and machine readable format.
  8. Third Party Processors - There will be direct obligations on data processors as well as data controllers. Controllers that use any third parties to process data, for example, outsourcing the IT function, must have a written contract in place with the processor.
  9. Data Protection Officer (“DPO”) – Appointment of a DPO in certain scenarios.

If you are not currently GDPR compliant– it’s not too late so long as you take steps now. Create a Roadmap of how data is identified, collected, processed and used. Carry out a Data Audit or Readiness Assessment to figure out what, how and why data is held and to determine what the lawful purpose of holding that data is. Review data security measures and ensure that personal data is held securely i.e. that electronic documents are encrypted and password protected and that they are backed up on a regular basis. It is important to provide staff training on GDPR as soon as possible. Review data protection policies and procedures for your business and review your privacy policy. Ensure you have appropriate systems in place in the event of a data protection breach, and in the event of a data access request. Consider if consent is required and, if so, how consent is obtained and whether it is collected appropriately in line with the GDPR. Check to see if you fall under the category to appoint a DPO. Review your Data Retention Policy.

Surveys have revealed that less than half of Irish businesses are ready for the new GDPR which comes into force on May 25th. The Data Protection Commissioner, Helen Dixon, has said “To do nothing ahead of May 2018 is not an option, because there will be consequences to pay and the consequences will be very significant for any organisation…” The huge shake-up in the world of data privacy will see the introduction of fines of up to €20 million or 4 per cent of a company’s global turnover for privacy breaches. The GDPR has introduced the right to compensation where aggrieved persons can complain to the ODPC or initiate proceedings for compensation for material or non-material damage or distress suffered. Breach of the GDPR will result in loss of chargeable time and costs in dealing with data protection issues, Audits/Inspections by the ODPC, loss of client confidence as well as litigation and fines and other costs. These crippling fines as well as reputational damage could close a business. While trust in Facebook, which still has 2 billion users, is at an all-time low, analysts believe that the tech giant will weather this storm as it has done many others. However, the same cannot be said of newer or smaller multi - national tech firms, never mind your average small to medium sized business, should they breach any of its obligations under the GDPR.