Dara Murphy (Cork North Central, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The position is that the General Data Protection Regulation (GDPR) has direct legal effect and does not require to be transposed into national law. It does however contain a number of Articles which provide Member States with a limited margin of flexibility, mainly in respect of the public sector. Work is ongoing in the Department of Justice and Equality on the development of a General Scheme of a Bill to give further effect to the GDPR and also to transpose the Data Protection Directive (Directive (EU) 670/2016) which deals with the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties. The GDPR will come into effect on 25 May 2018 and the Directive must be transposed into Irish law by May 2018. The Department of Justice and Equality has been in regular consultations with other Departments and public bodies and agencies in the course of preparation of the draft legislation and awareness has been raised significantly through this process.

The GDPR encompasses a 'risk-based' approach which means that individual data controllers and data processors are required to put appropriate technical and organisational measures in place in order to ensure and be able to demonstrate that the processing of personal data, taking into account the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity for the rights and freedoms of individuals, is in compliance with the GDPR. The GDPR provides for the establishment of supervisory authorities at national level with a wide range of functions and powers, including the promoting the awareness of controllers and processors of their data protection obligations. The Office of the Data Protection Commissioner, which has already been in existence for almost 30 years, is the supervisory authority in this jurisdiction.

I am advised by the Office of the Data Protection Commissioner that promoting and building awareness of the GDPR is a top priority for 2017 and beyond, using a broad range of communications channels, techniques and platforms. These include conferences and speaking events; engagement with the media and social media; GDPR guidance; and information awareness raising campaigns. The Commissioner, Deputy Commissioners and other senior staff are engaged as speakers at a number high-level, high-impact events in 2017, focusing on GDPR awareness and circulating guidance through representative bodies.

The Data Protection Commissioner issued an information document about the GDPR at the end of 2016 entitled "The GDPR and You". I understand that further GDPR guidance will be published over the course of 2017.

I should add that I established the Government Data Forum in 2015 which brings together a wide range of expertise and experience including legal and data protection professionals, representatives from SMEs and multinationals as well as sociologists, psychologists and education specialists. The Forum’s membership has been designed to enable a broad discussion of some of the key issues concerning the processing of personal data in the digital age. Preparations for the GDPR and increasing awareness of data protection among the broader population are two key areas of focus for the Forum for the year ahead. The centrepiece of the Forum’s activities for this year is the Data Summit that will take place on 15 and 16 June in the Convention Centre in Dublin. Preparations for the GDPR will be a core theme for the Summit with a series of presentations and practical ‘how to’ sessions integrated throughout the programme.