Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context | Oireachtas source

166. To ask the Minister for Enterprise, Trade and Employment if his Department is fully compliant with GDPR EU requirements, the EU network and Information Security Directive and standards with respect to his Department’s IT infrastructure including Article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 Annex 9 standards on privileged access are fully met; and if he will make a statement on the matter. [27337/21]

Leo Varadkar (Dublin West, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Compliance with GDPR EU requirements is an ongoing process that changes over time in line with new and emerging data protection requirements. My Department and the Offices under its aegis have a number of comprehensive processes in place to meet the compliance requirements of the GDPR and data protection laws. This includes a full-time dedicated Data Protection Officer, general and specifically tailored training courses for staff and regular reviews of data protection compliance in the various Business Units across my Department involved in personal data processing activities.

In addition, my Department and the Offices under its aegis have implemented a number of specific protocols to deal with issues such as personal data breaches, data protection privacy statements, privacy notices, data protection impact assessments and also regularly engages with Data Protection Commission, the Irish Data Protection Supervisory Authority, to ensure that it meets the data protection compliance requirements of new or changing data protection practices.

The EU Network and Information Security Directive is focused on a number of identified critical sectors (energy, transport, water, health, digital infrastructure, finance, online market-places, cloud and online search engines) and is not directly applicable to my Department.

In relation to Annex 9 of ISO 27001, my Department does not have formal certification against the standard. However, an independent review of my Department’s cyber security practices found that, of the 14 compliance areas under Annex 9 of ISO 27001, my Department was fully compliant with 10 of those compliance areas, and it has since achieved full compliance with 12 areas. My Department is also compliant in respect of its operational practices with the remaining two compliance areas, but does not have formal policies in place to reflect that practice. These will be put in place shortly.

Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context | Oireachtas source

167. To ask the Minister for Enterprise, Trade and Employment if any State or semi-State bodies which report to his Department are fully compliant with GDPR EU requirements and the EU network and Information Security Directive and standards with respect to their IT infrastructure including article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 annex 9 standards on privileged access are fully met; and if he will make a statement on the matter. [27355/21]

Leo Varadkar (Dublin West, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I have asked the state agencies under the remit of my Department to provide the requested information to me and I will forward this to the Deputy once received.