The General Data Protection Regulation will be enforced from 25 May 2018. This new European law, commonly referred to as the GDPR, will introduce fundamental changes to how our personal data is collected and processed, increasing the rights of individuals and introducing greater sanctions for non-compliance
As the GDPR is an EU regulation, it will automatically be enforced in all member states, but parts of it require national legislation. A bill is currently being prepared by the Department of Justice and Equality to give effect to the GDPR in Irish law.
Once this bill is passed in the Dáil and Seanad, a new legal framework for enforcement and a restructuring of the data protection commissioner can take place. Considering that all of this needs to be completed before May 2018 to allow for a smooth transition, time is most certainly of the essence.
This draft proposes to exempt public bodies from fines if they are found to be in breach of the GDPR. This exemption is based on the belief that these fines would be circular, as they would merely shuffle money from one public fund to another.
This seems to go against the ideology of all other Member States, where fines are seen as an important deterrent and driving factor for public bodies to improve their information security.
Helen Dixon, Ireland’s data protection commissioner, has described this development as a serious concern. She believes her office saw “no basis on which public bodies or authorities would be excluded, particularly given that arguably higher standards in the protecting of fundamental rights are demanded of those entities”.
There is no doubt that private organisations will be subject to the GDPR fines. Make sure you don’t get caught out: have one of our expert consultants identify and prioritise the key work areas that your organisation must address ahead of May 2018.