The General Data Protection Regulation 

The General Data Protection Regulation (GDPR) has been in the making for over four years and in April 2016 it was finalised.  It has an expected implementation date of 25th May 2018 whereby it “will explicitly put back onto organisations the clear obligation to properly organise themselves to ensure they are adequately protecting the individual’s fundamental right to data privacy and can demonstrate their accountability in this regard”. The GDPR unifies the Data Protection laws within the EU and the regulation promises data protection rules that will remove red tape for businesses but also tighten privacy protections for online users.

The GDPR will have a significant impact on how organisations operate. This includes but is not limited to the following aspects of Data Protection; 

• appointing a Data Protection Officer 
• the mandatory reporting of data protection breaches to the ODPC 
• the tightening of requirements around gathering consent 
• the right to data erasure for individuals 
• fines for non-compliance up to 4% of annual global turnover or €20 million, whichever is bigger
• the introduction of Privacy by Design 

Privacy and data protection concerns present a growing challenge for organisations. Over the past 12 months there have been a number of high profile data protections incidents and breaches in Ireland and across Europe. By implementing good practices and conforming to the associated requirements, organisations can prevent unforeseen interruptions to their operations. 

Data protection affects every organisation and the staff members within the organisation. Complying with the laws, regulations and applicable codes requires awareness of the data protection rules amongst staff members and a culture that encourages secure data handling practices. Organisations need to ensure they have a coordinated strategy which makes it possible to identify and align regulatory change with business-led change. 

In order to achieve compliance with the Data Protection regulation, legislation and codes, it is important to create a culture of compliance – without senior executive buy in, it is hard for a data protection officer to create this culture.  It is important to highlight that data protection compliance is more than consent wording on application forms or documented policies and procedures.

We can assist you in relation to: 

• Creating and delivering Data Protection policies and procedures
• Reviewing current policies and procedures and highlighting areas for improvement 
• Conducting a review and an assessment of current Data Protection and Privacy structures and processes, identifying areas for remediation.  This includes GDPR assessment. 
• Developing and implementing a privacy programme across the organisation 
• The development of Privacy Impact Assessment methodologies and the execution of Privacy Impact Assessments
• Advising on and developing Binding Corporate Rules
• The delivery of personal data lifecycles and inventories
• The delivery of a Data Protection training and awareness campaign 

The first step for an organisation is to perform a review of the published GDPR legislation to identify how and where it affects their business practice. This will vary across organisations and it is about making sure that your organisation has organised itself properly to deal with data protection and privacy and has the technical ability to do so. 

Deloitte’s team of regulatory and Risk Advisory professionals have extensive expertise and experience in the area of Data Protection and our team of professionals have provided support to orgainsiations and delivered a number of services across all industries.