Watchdog: No bedding in of GDPR

Watchdog: No bedding in of GDPR
File photo

By Pádraig Hoare

There will be no “bedding in” provision for the General Data Protection Regulation (GDPR) which became law in the EU today, the Data Protection Commission has warned

Deputy data commissioner Dale Sunderland said it was “quite reasonable” to question the direction of the regulator’s enforcement regime “in the coming weeks, months and years”.

However he said its obligation was to monitor the implementation of the GDPR once it kicked in today.

“The simple reality is that no provision has been made in law for a grace period from compliance with the GDPR post May 25. In fact, that period commenced two years ago when the text of the GDPR was finalised,” he said.

The GDPR was ratified in 2016 following four years of negotiation, replacing the existing directive on data protection.

Unlike an EU directive, which can be implemented over a certain time, the regulation is made law once it began today, meaning penalties can be imposed from day one.

The regulation is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy. It not only applies to organisations within the EU but also to firms that do business inside member states.

If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.

Mr Sunderland said that from today, individuals may seek compensation from the Irish courts in their own right for breaches of GDPR in respect of the handling of their data.

“But let’s not dwell on what can’t be changed. The much more important message we want to hit home is — regardless of whether an infringement of the GDPR arises on May 25, 2018, or May 25, 2019, an organisation can minimise and mitigate against the potential consequences and sanctions that they could face.”

He said “influential factors” would include the ongoing state of health of an organisation’s GDPR compliance programme, as well as a “genuine commitment and best efforts to meeting their GDPR obligations”.

The scale and impact of any infringement that may arise would also count, as well as whether the organisation was negligent or wilfully in breach.

He said “readiness to engage openly and transparently with both the DPC and the individuals whose data they process” would also be a factor.

More in this Section

Economy grows 1.7% in third quarter of 2019; GDP up 5% in last 12 monthsEconomy grows 1.7% in third quarter of 2019; GDP up 5% in last 12 months

US and China ‘close to trade deal’US and China ‘close to trade deal’

Surging pound up 1.29% against the euro on election resultSurging pound up 1.29% against the euro on election result

Jim Power: Challenges are stacking up down on the farmJim Power: Challenges are stacking up down on the farm


Who hasn’t dreamt of cutting ties with the nine-to-five and living off-the-grid?The great escape: What's life like off the grid?

Jazz in Europe these days exists in a highly networked environment of cultural and political bodies, festivals, promoters, musicians and educators.Jazz Connective Festival: Intriguing, exciting and uncompromising

It will be bittersweet for Stormzy that his second album arrives the day the British Labour party was confirmed as suffering a historic general election trouncing.Album review: Stormzy remains a work in progress

Unique drawings by Quentin Blake, one of Britain’s best-loved illustrators, are available at a Christie’s online auction which runs until December 17.Your chance to buy drawings by Roald Dahl illustrator Quentin Blake

More From The Irish Examiner