The Who, What, When, Where & Why of GDPR
31 Oct 2017
Sorcha Corcoran
At present, most working professionals will have heard of, or been exposed to GDPR in some form or another. At the very least, you may have heard those 4 letters flung around the office in slightly panicked tones. For those who still haven’t got to grips with it, an extremely simple outline of it is detailed below.
But what does it mean for the recruitment market? Brightwater has seen a surge in the number of clients registering Data Protection roles across our IT, Legal, Compliance and Financial Services divisions. Many organisations have already appointed Data Protection Officers and teams at this stage, and those that are late to the market with their roles may find it difficult to find suitably experienced/educated employees. There is an increased demand for professionals in this area and this demand for outweighs the supply currently on the market. Many are choosing to upskill and re-educate, however hands on experience is still the most valuable asset. As a result of the imbalance with regards to the supply and demand of these professionals, salaries are being driven upwards, with registered DPO’s commanding salaries of upwards of €100,000. With GDPR coming in to effect from May 25th 2018, it’s time for businesses to get their skates on, and for job seekers to take their time finding a role and an organisation that works for them.
Who:
Who does GDPR affect? GDPR affects all EU citizens, all organisations located in the EU or outside of the EU if they hold data of subjects residing in the EU, and all organisations located outside of the EU if they offer services or goods to, or monitor the behaviour or data of, EU subjects.
What:
What are the basic principles of GDPR? There are 6 basic principles, outlined below.
Lawfulness, Transparency and Fairness:
Tell the subject what data processing will be done. What is processed must match up with how it has been described. Processing must meet the tests described in GDPR
Purpose limitations:
Personal data can only be obtained for specified, explicit and legitimate purposes. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
Data Minimisation:
Data collected on a subject should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy:
Data must be accurate and where necessary kept up to date.
Storage Limitations:
Regulator expects personal data is kept in a form which permits identification of data subjects for no longer than necessary. Data no longer required should be removed.
Integrity and Confidentiality:
Processors are required to handle data in a manner ensuring appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage.
When:
GDPR takes effect from 25th May 2018 and replaces the previous directive from the year 1995. It is enforceable and those who are non-compliant could face fines of up to €20 million or 4% of total worldwide annual turnover of the preceding financial year (whichever is greater)
Where:
The EU, and any country worldwide outside of the EU if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
Why:
The definition of “Personal data” has expanded exponentially over the last number of years, and with the never ending evolution of technology the requirement for public protection and control on personal data has consequently reached its peak.
Sorcha Corcoran is a Consultant on the Legal Desk in Brightwater. She specialises in placing Solicitors, Lawyers, Data Protection Officers and Data Protection Subject Matter Experts into roles in both Private Practice and In-House. If you ever wish to discuss the market, or have any questions, call her in confidence on 016621000 for a chat or email her: [email protected]