At this stage, with only 152 days to go, you should already be well aware of the new EU wide regulations coming into play next year.
The General Data Protection Regulation (GDPR) will be in place by May 2018 and will apply to any data companies hold or process within the EU. It’s also applies to companies outside the EU, for example, US companies who hold any data on any EU citizens.
Basis in Law
There is a wide array of regulations in each of the member states regarding data protection. One EU wide law will make it easier for citizens to have their rights protected and for remediation should it be breached.
In Ireland data protection has been enshrined in legislation via Data Protection Acts 1988 & 2003. From an EU perspective we’ve had directives including Data Protection Directive 95/46/EC, Electronic Privacy Directive 2002/58/EC, and EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008).
Key components of Data Protection regulations:
(Directive 95/46 & Data Protection Acts)
- Fair obtaining & processing
- Specified purpose
- No disclosure
- Safe and secure
- Accurate, up-to-date
- Relevant, not excessive
- Retention period
- Right of access
Questions you need to ask about data:
- How did you obtain it?
- Why was it originally gathered?
- Why are you holding it?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
- Are the data subjects fully aware as to how you manage/use their data?
Rights for individuals under the GDPR include:
- Subject access
- Have inaccuracies corrected
- Have information erased
- Object to direct marketing
- Restrict the processing of their information
- Data portability