The EU General Data Protection Regulation (“GDPR”) was enacted on 24 May 2016 and will come into direct legal effect in all EU member states, including Ireland, on 25 May 2018. It replaces all EU member state general data protection rules. With some exceptions, the GDPR will operate as the new single data protection law for the EU. It is designed to give greater certainty to organisations in navigating and complying with data protection rules across all EU member states.
In many respects, after the GDPR, our Irish data protection rules will look and operate the same. Organisations will still require a specific legal basis for any processing of personal information that they carry out. They will still need to follow the eight data protection principles, including that they must be transparent with individuals about their data processing activities, they must ensure that the personal information they obtain and process is accurate and, where necessary, kept up to date, and they must keep personal information safe and secure.
However, the GDPR also introduces some significant changes to our current data protection rules. This note outlines the main changes to be introduced by the GDPR as they affect Irish-based organisations, and the steps that those organisations should take in 2017 to be ready for it coming into effect on 25 May 2018.
The GDPR will be supplemented by a new piece of national data protection legislation, the draft outline for which was published by the Department of Justice and Equality in May 2017.
In this note, we also comment on the contents of the outline (being the “General Scheme of the Data Protection Bill 2017”) and the additional changes that it would introduce, if it is enacted as is.
To read more see: Top 10 changes introduced by the GDPR