The Data Protection Commissioner (the "DPC") has published a guidance note on the General Data Protection Regulation (the "GDPR"). The GDPR will apply from 25 May 2018 and aims to harmonise existing EU-wide data protection laws and will replace the existing framework introduced by the EU Data Protection Directive 95/46 EC.
The DPC's guidance is promised to be the first in a series that will run up until the GDPR applies and focuses primarily on how organisations should prepare to ensure their data processing activities are fully compliant with the GDPR.
The recommendations include the following:
- Data mapping: mapping out where an organisation makes its most significant decisions about data processing;
- Designated responsibility: ensuring someone in an organisation or an external data protection advisor takes responsibility for data protection compliance and has the knowledge, support and authority to do so effectively; and
- Data Protection Officers: considering whether the organisation will be required to designate a Data Protection Officer and, if so, whether the current approach will meet the GDPR's requirements.
The DPC emphasises that the adoption of "privacy by design" and "data minimisation" principles are already good practice and both principles are now enshrined in the GDPR. Accordingly, service settings must be automatically privacy friendly and new services and products being developed will need to take account of privacy considerations from the outset.
The note also reminds organisations that the GDPR will impose very significant fines for non-compliance of up to 4% of an organisation's annual turnover.