Implementing the new data protection legislation ordered by the EU is going to be a “huge challenge” for Ireland, the head of data protection at the Department of Justice has warned, writes Pádraig Hoare.
Seamus Carroll, who was speaking at a data protection event for businesses in Cork, said a Government bill was due to be published next week outlining how Ireland will protect data.
He said the bill had to be enacted before the EU’s new law due in May, the General Data Protection Regulation (GDPR).
The GDPR was ratified in 2016 following four years of negotiation, replacing the existing directive on data protection. Unlike an EU directive, which can be implemented over a certain time, the regulation is made law once it begins in May, meaning penalties can be imposed from day one.
The regulation is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy. It not only applies to organisations within the EU but also to firms that do business inside member states.
If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
Mr Carroll said the Irish legislation will propose a new commission to replace the current data protection commissioner’s office that will have up to three commissioners.
Mr Carroll said the current EU law surrounding data protection was a “patchwork quilt” and that the new law was designed to bring certainty and clarity.
However he warned that Ireland had been “embroiled” in many test cases which were “rapidly developing in the European Court of Justice” (ECJ).
“We lost another case in December 20, where the ECJ in its great wisdom decided that examination scripts are personal data for the purposes of data protection law. Examination scripts contain a lot of information, perhaps not a lot of personal information, but it just shows how the case law of the ECJ is pushing out the parameters and our understanding of data protection law,” he said.
He said the 90-article GDPR was “frustrating and head-scratching” in places and that it was a “huge challenge” to make it clear and transparent.
The event at Páirc Uí Chaoimh was hosted by law firm O’Flynn Exhams in conjunction with Willis Towers Watson.
Time is running out for businesses to prepare for GDPR on how they store customer and employee personal data, speakers told attendees.
Managing partner at O’Flynn Exhams, Richard Neville said: “The impact of GDPR will be felt across all sectors, and will increase the obligations businesses have, not only to their customers, but also to their employees, who will see their rights strengthened around how their personal data is processed and stored.”