Overview of the General Data Protection Regulation (GDPR)
A new European Union-wide framework known as the General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018.
An accompanying Directive establishes data protection standards in the area of criminal offences and penalties. This is known as the law enforcement Directive.
The GDPR and the law enforcement Directive provide for significant reforms to current data protection rules. They provide for higher standards of data protection for individuals and impose increased obligations on organisations that process personal data. They also increase the range of possible sanctions for infringements of these rules.
This document outlines the main elements of the GDPR and links to further information about it.
The GDPR and Ireland
As an EU regulation, the GDPR did not generally require transposition into Irish law (EU regulations have direct effect), so organisations involved in data processing of any sort need to be aware that the GDPR addresses them directly in terms of the obligations that it imposes. You can read about these obligations and the concepts and principles involved.
The Data Protection Act 2018 was signed into law on 24 May 2018. The Act changes the previous data protection framework, which was established under the Data Protection Acts 1988 and 2003 (pdf). Among its provisions, the Act has:
- Established a new Data Protection Commission as the State’s data protection authority
- Transposed the law enforcement Directive into national law
- Given further effect to the GDPR in areas where member states have flexibility (for example, the digital age of consent)
Types of data
There are two main types of data under the GDPR: personal data and special category personal data.
Under the GDPR, personal data is data that relates to or can identify a living person, either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details and medical history.
A data subject is the individual to whom the personal data relates. You can read more in our document Your rights under the GDPR.
Organisations that collect or use personal data are known as data controllers and data processors. You can read about the obligations of data controllers and processors and the concepts and principles involved.
Special category personal data
Special category personal data (known as sensitive personal data under previous Irish legislation) means personal data relating to any of the following:
- The data subject’s racial or ethnic origin, their political opinions or their religious or philosophical beliefs
- Whether the data subject is a member of a trade union
- The data subject’s physical or mental health or condition or sexual life
- Whether the data subject has committed or allegedly committed any offence
- Any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings
The processing of special category data is prohibited unless the data subject has given their explicit consent before processing begins or the processing is authorised by law, for example, to protect the interests of a data subject, to comply with employment legislation or for reasons of public interest.
Personal data relating to criminal convictions and offences may only be processed under the control of an official authority.
Where the GDPR applies
The GDPR applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU, where those processing activities relate to offering goods or services to EU citizens or the monitoring of their behaviour.
Non-EU organisations processing the personal data of EU citizens must appoint a representative located in the EU.
Supervision and enforcement
Independent supervisory authorities
Under previous Irish legislation, the Data Protection Commissioner was responsible for supervising data protection in Ireland. Under the GDPR, each EU member state must have one or more independent public authorities responsible for monitoring the application of the Regulation. In Ireland, this supervisory authority is the Data Protection Commission.
The Data Protection Commission will:
- Monitor the enforce the application of the GDPR
- Promote public awareness of the rules and rights around data processing
- Advise the Government on data protection issues
- Promote awareness among controllers and processors of their obligations
- Provide information to individuals about their data protection rights
- Maintain a list of processing operations requiring data protection impact assessment
The Data Protection Commission has the power to order any controller or processor to provide information that the authority requires to assess compliance with the Regulation. It may carry out investigations of controllers and processors in the form of data audits, including accessing the premises of a controller or processor. It authority can order a controller or processor to change their processes, comply with data subject requests. The Data Protection Commission can also issue warnings to controllers and processors and can ban processing as well as commence legal proceedings against a controller or processor.
European Data Protection Board (EDPB)
The GDPR has introduced a new European data protection supervisory authority, the European Data Protection Board (EDPB). The EDPB is responsible for ensuring that the GDPR is applied consistently across the European Union. It will issue guidelines and recommendations on the application of the Regulation. It will also advise the EU Commission on the application of the Regulation and any updates that may be required.
The EDPB is made up of the head of one supervisory authority of each member state and a European Data Protection supervisor.
Penalties apply to both controllers and processors found to be in breach of the GDPR. There are different penalties, depending on the importance of the breach.
For the most serious infringements (for example, not having sufficient customer consent to process data or violating the core of privacy by design concepts) organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater.
Each member state may introduce further fines legislation, which will be enforceable within that state only.
Under the GDPR, organisations in breach of the Regulation can be fined up to 2% of their annual global turnover or €10 million, whichever is greater, for lesser breaches. Some examples of lesser breaches include: not having records in order, not notifying the supervisory authority and data subject about a breach or not an conducting impact assessment.