Agreement on GDPR draws near

Giovanni Buttarelli, European Data Protection Supervisor has this week confirmed that the trilogue negotiations on the General Data Protection Regulation are reaching conclusion and that a deal should be agreed upon by the end of this year. Mr Buttarelli also announced a proposed EDPS Ethics Board, stating that “the rules in the new Regulation are essential but are still not enough, and that this new chapter in Data Protection should build on a new reflection of the ethical dimension.”

Additionally, the UK Deputy Information Commissioner David Smith has published in his ICO blog this month 5 key areas that businesses should examine in preparation for the GDPR:

Consent
An assessment of how an organisation relies on consent for the processing personal data.  This is in recognition of the increased threshold for obtaining consent under the GDPR and a move towards businesses relying on alternative processing conditions.

Accountability 
The GDPR will contain many record-keeping requirements concerning data protection compliance. Organisations are advised to start practicing this as soon as possible.

Staffing 
Adequate DP expertise will be required within an organisation to carry out the extra compliance tasks.

Privacy by Design and Privacy Impact Assessments 
DP compliance and data minimisation should be effected ‘as a matter of course’.

Breach management 
A sufficient and effective breach management process needs to be in place. 

As the enactment of the Regulation draws near, businesses are well advised to take notice of these expected obligations and to put necessary practice in place. The Office of the Data Protection Commissioner, which has received an extra €1.2 million in funding for 2016, will demand similar standards from Irish businesses, particularly now that Ireland is firmly in the global Data Protection spotlight.