By Pádraig Hoare
There will be no “bedding in” provision for the General Data Protection Regulation (GDPR) which became law in the EU today, the Data Protection Commission has warned
Deputy data commissioner Dale Sunderland said it was “quite reasonable” to question the direction of the regulator’s enforcement regime “in the coming weeks, months and years”.
However he said its obligation was to monitor the implementation of the GDPR once it kicked in today.
“The simple reality is that no provision has been made in law for a grace period from compliance with the GDPR post May 25. In fact, that period commenced two years ago when the text of the GDPR was finalised,” he said.
The GDPR was ratified in 2016 following four years of negotiation, replacing the existing directive on data protection.
Unlike an EU directive, which can be implemented over a certain time, the regulation is made law once it began today, meaning penalties can be imposed from day one.
The regulation is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy. It not only applies to organisations within the EU but also to firms that do business inside member states.
If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
Mr Sunderland said that from today, individuals may seek compensation from the Irish courts in their own right for breaches of GDPR in respect of the handling of their data.
“But let’s not dwell on what can’t be changed. The much more important message we want to hit home is — regardless of whether an infringement of the GDPR arises on May 25, 2018, or May 25, 2019, an organisation can minimise and mitigate against the potential consequences and sanctions that they could face.”
He said “influential factors” would include the ongoing state of health of an organisation’s GDPR compliance programme, as well as a “genuine commitment and best efforts to meeting their GDPR obligations”.
The scale and impact of any infringement that may arise would also count, as well as whether the organisation was negligent or wilfully in breach.
He said “readiness to engage openly and transparently with both the DPC and the individuals whose data they process” would also be a factor.