GDPR – What To Know Before 25 May 2018

Author:Ms Lisa Joyce
Profession:Mason Hayes & Curran

As detailed in a  recent update, the Irish Data Protection Bill 2018 was published on 1 February 2018. The Bill implements those instances where Member States are permitted some flexibility under the GDPR and contains important provisions on the robust enforcement powers of the reformed Data Protection Commission.

With some amendments, the Bill was passed by the Seanad in late March 2018 and is currently at Committee Stage in Dáil Éireann, the Irish legislature's lower house.

While commentators often point out that the GDPR is an evolution not a revolution, the steps required for compliance are onerous and, no doubt, causing many challenges for both data controllers and processors.

The GDPR applies to both public and private organisations that are established in the EU or that process personal data of EU data subjects in certain circumstances. However, there are some key differences for data controllers in the public sector. These relate, in particular, to the imposition of administrative fines, the need to appoint a Data Protection Officer and the lawful conditions of processing which may be relied upon.

Administrative fines for public authorities   

Under the GDPR, administrative fines can be imposed on data controllers and data processors that breach certain provisions of the GDPR. The level of fine will depend on the seriousness of the breach. The most serious breaches will be liable to fines of up to €20 million or 4% of the undertaking's annual turnover, whichever is greater. The less serious breaches will be liable to fines of up to €10 million or 2% of the undertaking's annual turnover, again, whichever is greater.

However, the GDPR (Art 83(7)) allows for each Member State to legislate on whether, and to what extent, administrative fines can be imposed on public authorities and bodies established in that Member State.

Initially, the Bill sought to exempt public sector bodies from fines. However, concerns were expressed by the Data Protection Commissioner that these bodies should not be excluded from fines. This was on the basis that, in protecting fundamental rights, higher standards are arguably demanded from public sector bodies. Unfortunately for the public sector, the Bill passed by the Seanad has been amended in this regard. It now provides (section 139) that administrative fines can be levied against public authorities1 and public bodies2 up to a maximum of1 million. However, to ensure fair competition, this upper limit will...

To continue reading