25. Deputy James Lawless asked the Tánaiste and Minister for Justice and Equality the steps that have been taken to prepare for the implementation of the GDPR in 2018; the level of preparedness among industry; and if she will make a statement on the matter. [15534/17]
Minister of State at the Department of Justice and Equality (Deputy Dara Murphy): The position is that the General Data Protection Regulation (GDPR) has direct legal effect and does not therefore require to be transposed into national law. The Regulation does however contains a number of Articles which provide Member States with a limited margin of flexibility, mainly in respect of the public sector. Work is ongoing in my Department on the preparation of a General Scheme of a Bill to give further effect to the GDPR and also to transpose the law enforcement Data Protection Directive (Directive (EU) 670/2016) which deals with the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties. The Regulation will come into effect in Ireland on 25 May 2018 and the Directive must be transposed into Irish law by 6 May 2018. The Department of Justice and Equality has been in regular consultations with other Departments and public bodies and agencies in the course of the preparation of the scheme and awareness has been raised significantly through this process.
The GDPR adopts a risk-based approach which means that individual data controllers and processors have to put appropriate technical and organisational measures in place in order to ensure and be able to demonstrate that the processing of personal data is in compliance with the Regulation, taking into account the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity for the rights and freedoms of individuals. The GDPR provides for the establishment of supervisory authorities at national level with a wide range of functions and powers, including the task of promoting the awareness of controllers and processors of their obligations under the Regulation. The Office of the Data Protection Commissioner, which the Deputy is aware has already been in existence in Ireland for almost 30 years, is the supervisory authority for Ireland.
I am advised by the Office of the Data Protection Commissioner (DPC) that promoting and building awareness of the GDPR is a top priority for the office in 2017. The DPC is taking a leading role in driving awareness, in collaboration with other stakeholders where appropriate, acknowledging that effective GDPR awareness raising will be a combined effort of the DPC, the Government, practitioners, industry and professional representative bodies.
The DPC is using a broad range of communications channels, techniques and platforms. These include: conferences and speaking events; engagement with the media and social media; GDPR guidance; and information awareness raising campaigns.
The Commissioner, Deputy Commissioners and other senior staff are engaged as speakers at a number high-level, high-impact events in 2017, focusing on GDPR awareness and circulating guidance through representative organisations.
The DPC issued a readiness document in relation to the new Regulation at the end of 2016, entitled "The GDPR and You". I understand that further GDPR guidance will be published over the course of 2017.
I should add that I established the Government Data Forum in 2015 which brings together a wide range of expertise and experience including legal and data protection professionals, representatives from SMEs and multinationals as well as sociologists, psychologists and education specialists.
The Forum’s membership has been designed to enable a broad discussion of some of the key issues around the use of personal data in our digital society.
Preparations for the GDPR and increasing awareness of data protection among the broader population are two key areas of focus for the Forum for the year ahead. The centrepiece of the Forum’s activities for this year is the Data Summit that will take place on 15 and 16 June in the Convention Centre. Preparations for the GDPR will be a core theme for the Summit with a series of presentations and practical ‘how to’ sessions integrated throughout the programme.