The most common questions on the new data protection law answered

Under the GDPR all companies and organisations will have to adopt stringent procedures when it comes to collecting, protecting, and storing that data belonging to EU citizens.

These will include data 'anonymisation', a requirement to notify consumers on which you hold any data within 72 hours if a breach occurs.

Here we answer some of the most commonly asked questions about the legislation.

What constitutes 'data'?

Under the GDPR it is not just information such as passwords, pin numbers or dates of birth that companies and other organisations will be legally obliged to protect and treat ethically, but anything that could be construed as 'personal data'.

This includes data subjects' location data, social security numbers, IP addresses, email addresses, as well as any and all details on physical characteristics such as age, race, physical attributes, or gender.

Why is the GDPR needed?

There were two main problems with the data legislation that the GDPR replaces - the first was that it was outdated (pre-dating companies like Facebook, Instagram, Twitter, Snapchat etc).

The second issue is that the penalties were far too low. For example, some companies saw a potential fine for an illegal direct marketing campaign as part of their budget. That will not be possible under the new legislation.

Financial penalties

The penalties are significant by any measure - for "very serious breaches" the penalties reach €20m or 4pc of total worldwide annual turnover (whichever is greater).

The company found to be negligent can also be sued by the data subject.

Even if there is no proof that the consumer has suffered material damage, if the company cannot prove their compliance with the GDPR, they can be subject to a civil claim.

Recent research has also shown that serious data breaches negatively effect consumer and investor confidence, and can hit share prices hard.

Who (or what) is a DPO?

Under the GDPR many companies will be required to appoint a Data Protection Officer (DPO) to oversee how consumer data is collected, stored and disposed of.

For small companies which do not collect much consumer data this may be someone who takes on the role overall responsibilities in the company.

For consumer-facing companies which collect a lot of consumer data, the role will likely have to be a dedicated position.

The role will not be a middle-management appointment either - under the GDPR, the DPO must report only to the CEO of the organisation. It is permissible to appoint a third party consultant as your DPO.

Are we starting too late?

Many Irish companies are aware that the GDPR is coming, but the vast majority are not sufficiently prepared.

Only 6pc of those questioned in a recent survey by the Irish Independent said their GDPR plans were at an advanced phase.

The figure is very low and the fact that others are not ready either will not be a defence once the legislation is in place.

Where should our company start?

The first thing is to get started as soon as possible - this legislation is not a simple IT or HR fix.

It will likely involve an organisational overhaul in how your company treats consumer data, which will need to be addressed on an ongoing basis.

The second is to appoint someone - a qualified member of staff or outside consultant - to oversee the process, and to begin implementing some of the more straightforward practices, including amending consumer privacy statements.

The final, and perhaps most important, part is to begin the process of training staff, as compliance with this legislation is only possible if every member of your organisation is aware and actively implementing it.

The DataSec 2017 conference takes place on May 3 in the RDS in Dublin. The event will provide expert speakers, information and insight to help businesses comply with GDPR and get the most out of the legislation. Full line-up and details of ticket sales are available on independent.ie/datasec or call 01 7055397