And what enforcement will look like for Irish companies.
In this new era of GDPR, all companies with information on European citizens must comply with the new regulation. The main principle about the General Data Protection Regulation (GDPR), is to protect customers against the misuse of their data by companies. GDPR brings more transparency and safety in relation to the use of data, benefiting both the companies and their customers. In the next paragraphs we will explain the main GDPR principles, enforcement and how to deal in case you need to communicate a data breach.
If your company is not ready yet for the compliance, New Horizons Ireland gathered a couple of useful tips and information that can help you in this process.
8 Data Protection Principles for complying with GDPR
The principles below are based in the GDPR final article and originally organised by the GDPR coalition.
01 – Fair data collection and Processing
02 – Obtain for one or more specified, explicit and lawful purposes
03 – Use and disclose data only in ways compatible with those purposes
04 – Keep it safe and secure
05 – Keep data accurate, complete and up to date
06 – Ensure that the processing is adequate, relevant and not excessive
07 – Retain for no longer than is necessary for the purpose or purposes
08 – Give a copy of his/her personal data to an individual on request
Scenarios where GDPR is applicable
At New Horizons Ireland we have been mentoring people in the new regulation since last year and one of the most important points that we learned is that GDPR evolves the whole company, cannot be a process leaded just for one person or one area. Even though, there is a selection of scenarios where the new regulation is 100% applicable.
- EU parent company
- Personal Data Locally
- Local Suppliers
- Staff Training
- Off-site Storage
- Trading with Non-EU companies
If you wish to read the full version of those scenarios you can access here in our previous article:
Scenarios where GDPR is applicable
How to communicate a data breach in Ireland
The new era of the GDPR introduces new requirements for organisations to report personal data breaches to the relevant supervisory authority, which in Ireland is the Data Protection Commission. Companies must do it within 72 hours of becoming aware of the breach, it doesn’t matter the level of the risk, the recommendation is always to notify the responsible authorities.
The report can be done by email and before to do it you should have in mind the risk of your data breach. According to the Data Protection Commission in Ireland the risk rating can be classified as below:
- Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal
- Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial
- High Risk: The breach may have a considerable impact on affected individuals
- Severe Risk: The breach may have a critical, extensive or a dangerous impact on affected individuals.
Because in the first moment you will determine how serious you consider the breach to be for affected individuals, you should bear in mind the impact of the breach on individuals whose data has been exposed. In assessing this potential, you should consider the nature of the breach, the cause of the breach, the type of data exposed, mitigating factors in place and whether the personal data of vulnerable individuals has been exposed.
You can check the all process of notifying a data breach in the Data Protection Commission website by clicking here.
Enforcement
At the Global Privacy Summit, Irish Data Protection Commissioner Helen Dixon gave some indication of how DGPR enforcement will work.
"There will be fines, and they will be significant". "I like to twist it back around to remind everyone what the GDPR is, which is about accountability backed up by ex-post enforcement under Article 83. I think it is quite clear that when we do identify an infringement that's of the gravity, duration and scope that is serious, then we are obliged considerably to administer an administrative fine" said Dixon.
You can read more about this in IAPP's article here.
Get trained
At New Horizons Ireland we provide a wide range of GDPR courses to prepare you and your team. Check it out below:
GDPR Certifications
Certified Information Privacy Professional
|
 |
The “what” of privacy, and why you need it.
- Legal
- Compliance
- Information Management
- Data Governance
- Human Resources
|
Duration: 2 days
Includes:
- Exam
- IAPP membership
- Official training
|
|
View outline
|
Certified Information Privacy Manager
|
 |
The “how” of privacy operations, and why you need it.
- Risk Management
- Privacy Operations
- Accountability
- Audit
- Privacy Analytics
|
Duration: 2 days
Includes:
- Exam
- IAPP membership
- Official training
|
|
View outline
|
Certified Information Privacy Technologist
|
 |
The “how” of privacy and technology, and why you need it.
- Information Technology
- Information Security
- Software Engineering
- Privacy by Design
|
Duration: 2 days
Includes:
- Exam
- IAPP membership
- Official training
|
|
View outline
|
Other Popular GDPR courses
The GDPR Primer for Data Protection Officers - 2 Days
- The social, historical and legal background leading to the general data protection regulation (GDPR)
- Principle one: the criteria governing fair, open and transparent processing of personal data
- The role of the data protection officer (DPO)
- The remedies, liabilities and penalties available under the gdpr
- Provisions for specific processing situations
- Preparing for implementation of the GDPR
Outline and course dates