GDPR Initiates Vast Changes in Irish Boardroom Practice

Ireland is somewhat better prepared than other EU Member States for the implementation of the EU General Data Protection Regulation (EU 2016/679) (GDPR) which comes into force across the European Union in May 2018. Ireland has had strict data protection regulation since 1988, and is the only country with a cabinet-level post with a specific mandate for this issue. However, the law brings sweeping changes, as it imposes an array of requirements which directors must be aware of as they face personal liability under GDPR.

In May 2017, the Oireachtas passed the General Scheme of the Data Protection Bill. This bill is intended as the transposition legislation for the EU General Data Protection Regulation.

“This legislation is ground breaking,” commented expert John Magee, of the Dublin-based law firm William Fry. “The new rules will have significant impacts for all organisations”.

The bill, in its current form at this writing, addresses many of the key points in GDPR, but only in the form of an overview. Members of Parliament will have a considerable amount of work ahead of them to fill in the gaps and details before next May.

Evolution of Irish Data Protection Law

The main Irish law dealing with data protection is the Data Protection Act 1988. The 1988 Act was amended by the Data Protection (Amendment) Act 2003, which was intended to bring Irish legislation into line with the earlier EU Data Protection Directive 95/46/EC.

The laws apply to all organisations established in Ireland that collect, store or process data about living people on any type of computer, or in a structured filing system.

The laws regulate the processing of the personal data of a living person, which is in the possession or under the control of a data controller.

Personal data is defined as information from which the individual concerned can be identified, either directly or through use of the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

The office of the Data Protection Commissioner was established under the 1988 Data Protection Act. The Data Protection Commissioner is responsible for upholding the rights of individuals as set out in the Acts, and enforcing the obligations upon data controllers. The Commissioner is appointed by the Government and is independent in the exercise of his or her functions. Individuals who feel their personal data has been abused in some way may file a complaint with the Commissioner, who will investigate the matter, and take whatever steps may be necessary to resolve it.

Certain types of data controllers and data processors must register with the Office of the Data Protection Commissioner (ODPC) if they both have a legal presence, or use equipment located, in Ireland, and hold personal data in an automated form.

Directors Must Take Action

Directors must understand that, along with personal liability under some circumstances, failure to demonstrate compliance could lead to companies facing fines of up to €20 million or 4 percent of global turnover, depending on which is greater.

One specific of Irish legislation that may be different from that of other countries is that decisions by the Office of the Data Protection Commission to impose fines will be reviewed by the Circuit Court. The Court will not be acting as a court of appeal, but rather it will impose the fine unless there is good reason not to. This means that for every fine it intends to impose, the Commission will have to make an application to the Court to execute the fine. This oversight of the Circuit Court is to ensure the decision by the Commission to impose a fine was taken in line with procedural rules and constitutional justice.

Another specific aspect of the Irish business environment is that a large number of international companies are based in Ireland. This means that the Data Protection Officer at these organisations must pay close attention to the parts of GDPR that involve data transfer across borders.

“GDPR does however introduce some new legal grounds for cross-border data transfers, as well as significant changes to the recognition of ‘adequate’ countries,” said international law firm Loyens & Loeff in a recent report.

As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an ‘adequate’ level of data protection.

Other countries’ level of personal data protection is assessed by the European Commission through ‘adequacy findings,’ which are binding in their entirety to all Member States. Once the “adequacy” of a third country has been recognised, personal data can be transferred to this country without having to take further protective measures.

As in other EU Member States, GDPR involves further sweeping changes to board oversight which must include:

• Inventory all data being used by the organisation and reporting ongoing data processing projects
• Detailed records of data processing
• Appointment of a Data Protection Officer
• Reporting of security breaches to the Data Protection Office within 72 hours of occurrence, as well as to affected personal data owners
• Privacy by design: Projects involving personal data must have a security component

How to Track Compliance

It’s essential for directors to stay up-to-date with the latest developments in GDPR, its implementation at their location and the progress made by their organisation in achieving compliance.

The paperwork involved could be staggering, or directors could communicate in real time using Diligent’s board portal. This environment provides access to all materials that board members need in electronic form, but with top-grade security. What’s more, access to specific documents or data can be set so that only those who have a right to these materials can obtain them.

When new information about compliance becomes available, it can be shared instantly on the portal. And board member communication becomes much more efficient, enabling the board to make better-informed decisions more rapidly.

Given the extremely rapid development of GDPR and its effect on an organisation, Diligent’s board portal offers an efficient and secure solution for achieving compliance.