The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
As a regulation, it will not generally require transposition into Irish law (regulations have ‘direct effect’), so organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes.
The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.
Over the course of 2017, the Data Protection Commissioner will be proactively undertaking a wide range of initiatives to build awareness of the GDPR, in particular providing guidance to help organisations prepare for the new law when it takes effect.
The DPC has prepared an introductory document to help in preparing for GDPR: “The GDPR and You”.
This document lists 12 steps which organisations should be taking to be GDPR ready by 25 May 2018.
Of course the guide is not an exhaustive list and organisations should ensure that their preparations take account of all actions required to bring them into compliance with the new law.