The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive. In Ireland, the main law dealing with data protection legislation is the Data Protection Act, 1988 which was amended by the Data Protection (Amendment) Act 2003. These will both be replaced by the GDPR.
As a Regulation, it will not generally require transposition into Irish law (Regulations have ‘direct effect’), so organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes. The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.
Raising awareness among organisations and the public aware of the new law will be a combined effort of the Data Protection Commissioner (DPC), the Government, practitioners, and industry and professional representative bodies. Over the course of 2017, the DPC will be proactively undertaking a wide range of initiatives to build awareness of the GDPR, and providing guidance to help organisations prepare for the new law which comes into force on 25 May 2018.
The Regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The Directive for the police and criminal justice sector protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It will also ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.
On 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonised data protection framework across the EU. The European Parliament’s Civil Liberties committee and the Permanent Representatives Committee of the Council then approved the agreements with very large majorities. The agreements were also welcomed by the European Council of 17-18 December as a major step forward in the implementation of the Digital Single Market Strategy.
The DPC is also an active participant in the Article 29 Working Party (WP29) comprising representatives from each EU member state’s Data Protection authority. The WP29 has a central role in providing further explanatory and practical guidance on key provisions of the GDPR.