The General Data Protection Regulation will come into force on 25 May 2018 replacing the existing data protection framework under the EU Data Protection Directive.
The regulation governs the privacy practices of any company handling EU citizens’ data, whether or not that company is located in the EU. It will tighten the rules for obtaining valid consent for using personal information.
It also requires that public authorities and certain companies processing personal data on a “large scale” must have an independent data protection officer.
The risks associated with IT and Cybersecurity are a key concern for not only the Central Bank but also the Data Protection Commissioner given their potential to have serious implications for the Data Subject.
The fundamental purpose of the new regulation is threefold:
- A level playing field across Europe for organisations to adhere to
- Better security for European personal data
- Greater control for citizens over their personal data
Even though the GDPR builds on familiar data protection concepts and rules, in many ways it goes further.
The compliance burden will be greater than currently in place so we are in the process of reviewing and enhancing our existing practices.
All organisations dealing with personal data will be responsible for adhering to the new regulation and, as a result, there will be more stringent levels of accountability.