In less than two months' time, strict new data protection rules will come into force across Europe. The new General Data Protection Regulations - or GDPR - will see significant changes to data protection laws - giving new rights to individuals and adding new obligations to organisations.
"The new data protection rules are building on the existing legislation so in terms of core principles they're broadly the same," said Daragh O'Brien, managing director at consultancy firm Castlebridge. "Where we see significant changes are in relation to focus on internal accountability and control and governance in organisations. Of course there's a much stricter and higher standard of penalty and fine - potentially - under the new legislation," Mr O'Brien said.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
In practical terms, that means that companies will have to re-think the way they're handling customer data - and how they communicate their practices with those customers. "Companies will need to look at how they're communicating with their customers, with their staff, about how they're using the personal data of whom they're engaging with on a day-to-day basis," he said. "They'll have to look at how they've documented those processes and those activities, so they're clear about what's happening with that information."
There is also increased requirements around the contracts that a company has in place with third parties that do work on their behalf. "This is something they have to have at the moment but the standard in terms of what's required in that contract is also going up," Mr O'Brien said.
The changes are not just confined to the technology sector or to modern companies. They will affect any company that holds data about people, or data that can identify people. That could be a big social media firm that gathers a wealth of information about each user, a café that has a loyalty scheme or a small shop that uses CCTV. "It applies to all non-domestic use of data - so sports clubs, small shops, large organisation," Mr O'Brien explained.
The change, by its definition, should not be invisible to the individual either. That may simply mean more signage around the likes of CCTV, or more precise contact with customers about how their data is handled.
Firms that fail to comply with the changes once introduced on 25 May could face a hefty punishment too. It is likely that those found to be in breach will be ordered to take remedial action by the Data Protection Commissioner - though they might also be told to stop their practice altogether. At the more severe end of the spectrum, companies could face big fines too - to the potential tune of 2-4% of turnover depending on the offence.
"There are a number of other enforcement sanctions available to the Data Protection Commissioner under current law and the new rules," said Mr O'Brien. "Those penalties could include ordering you to stop doing the data processing entirely, ordering you to make changes in the timeframe that the data protection commissioner will require, but the ultimate sanction is 4% of turnover of €20m for a very serious breach of the legislation," he added.
***
MORNING BRIEFS - Smurfit Kappa has this morning rejected a second takeover bid from a US rival. International Paper had an initial bid rejected three weeks ago - but it made a revised offer late last week. Smurfit Kappa's board has rejected this, however, saying the firm's best interests were as an independent company. It also said the bid undervalued the group.
*** Shares in Independent News & Media slumped this morning after the newspaper publisher revealed that the Director of Corporate Enforcement was seeking High Court approval to appoint inspectors to investigate its affairs. In a statement it said that - if made - the appointment could result in the company incurring material costs.
