GDPR Will Change Data Protection in May 2018 – Are You Ready?
In less than a year, Europe’s data protection rules will undergo their biggest changes in two decades. Since their creation, the volume of digital information we create, capture, and store has vastly increased. Simply put, the old regime was no longer  t for purpose.
The solution is the mutually agreed European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. It will change how businesses and public sector organisations can handle the information of customers. To  nd out more about what GDPR will mean, Council Journal spoke with founder of IT security  rm ISAS (Information Security Assurance Services), Conor Flynn, who has over 25 years experience providing information security advice to a wide range of public and private sector organisations.
Coming into force next May, Conor explains that “GDPR is seen as a move across Europe to improve the old data protection acts which have been with us since the 1980s, albeit with a number of revisions. There was quite an inconsistent implementation across the EU with the old acts; the EU issued a directive and then it was up to each local jurisdiction to transpose that into a piece of legislation and make it an act locally. For instance, it took Ireland seven years to transpose the original directive which came out in 1981 into an
act here.”
When the EU issues a regulation it is immediately binding in all countries, it does not need to be transposed into local legislation, which makes GDPR signi cantly di erent to
its predecessors.
What makes GDPR interesting, according to Conor, is that it came into force in May 2016 but will not begin to be enforced until May 2018: “A lot of people are looking at May 2018 as when this will become applicable and that is not the case. It became applicable in May 2016, we are now in the adoption phase, so next May is when the  nes and audits will start based on the regulation. Many people are working on the basis that they only have to start working towards compliance next May, you have to  nish compliance by next May.”
There are some signi cant implications for the public sector in particular: “GDPR de nes that every public sector body, regardless of size, that handles any personal identi able information must have a data protection o cer. Now, a lot of organisations in the public sector already have data protection o cers but often times it’s a combined role. It might be someone who is head of IT or in HR but what is going to particularly impactful in the Irish public sector is that those roles are now seen as con ict roles for data protection. They cannot exist with them”, he explains.
The regulation has called out some very speci c competences that the data protection o cer must have: “They must have quite a lot training, a good technical knowledge of systems within the organisation and they must be of a senior level because they have to be able to go to the management board to report any non-compliance. They also have protection, somewhat similar to a whistle-blower, they can’t be disciplined or have any impact on their career for doing their job as
an o cer.”
While the regulation doesn’t require legislation to come into e ect in May of next year, it does need legislation to support some speci c pieces of enactment at a local level. As Conor explains, “For instance, the age of a child is de ned di erently in varying European countries and the speci c controls with
Founder of IT security  rm ISAS, Conor Flynn
regards to how you handle the information of a child, so that has be dealt with locally. Also, there is discretion to each country as to whether or public sector bodies will be  ned for breaches and there is a little bit of tension here. The draft bill is proposing that public sector bodies can’t be  ned in Ireland but the data protection o ce is lobbying that they should be  ned.”
In the private sector however, the  nes are going to be far more onerous and we’ve seen some very public headlines about  nes of up to €20 million and up to four percent of global turnover. While these don’t apply so much to the public sector, what does apply is the ability for the data subject, the citizen, to sue the controller or processor of their data in the event of the breach.
Explaining, Conor says; “The regulation foresees that any settlements in a case like this should be dissuasive and should be more than compensating the injured party for their injury. There have to be non-compensatory payments made as well, which means the stress or discomfort of somebody who has su ered a breach would result in a payment which is worrying.” Elaborating further, he adds; “There is a lot of responsibility
and accountability coming towards the various data controllers in both public and private sectors. What is going to make it more di cult in the public sector is there are very speci c requirements to the role, functions, competency and independence of data protection o cers while at the same time, they are still exposed to the settlement
of lawsuits.”
   The CharTered InsTITuTe of LogIsTICs & TransporT 33
  GDPR