GDPR One Year On

As you know it’s one year since the General Data Protection Regulation (GDPR) came into force across the European Union. The regulation standardizes data protection practices across Europe and strengthens individual’s data privacy rights. It also places added responsibilities on companies to be accountable, transparent and secure in their processing of data. In this article we are going to have a look at some of the events that occurred since its introduction and try to make some predictions of what might come next (though no one can predict the future…)

The first significant data protection event in Ireland was the passing of the Data Protection Act 2018. This national legislation on data protection updates the past data protection laws in Ireland (the first data protection act was way back in 1988). The Data Protection Act 2018 incorporated the GDPR to national circumstances and clarified certain areas such as the operation of Freedom of Information legislation and the processing by national security bodies (An Garda Síochána) for investigations of crimes amongst other issues. The Data Protection Act also allows for administrative fines of up to €1 Million to be charged against public bodies for breaches / non-compliance in the area of data protection.

Another change of the GDPR introduction felt over the past year, is that this regulation allows fines to be levelled of up to 4% of gross revenue or €20 Million (whichever is larger) against companies, in certain instances. In Ireland the national supervisory authority (the Data Protection Commission) has to date not issued specific GDPR based fines however in other European jurisdictions this has occurred. In France Google was fined €50 Million in January of this year. In the UK fines have been issued by their national supervisory authority (ICO) for non-compliance under existing data protection legislation since GDPR went live, Uber, Facebook Ireland and others have been fined in the past 12 months. It is only a matter of time before the national supervisory authority in Ireland will start issuing GDPR fines. According to the Data Protection Commission’s annual report for 2018 over 3000 breaches were reported under GDPR to the Data Protection Commission by the end of last year.

Looking forward to the future Brexit is something the GDPR didn’t anticipate but will have a big impact on Ireland and in particular to data transfers due to the interconnectedness of the two countries. The GDPR does allow for transfers outside its area to countries deemed to have ‘adequate’ levels of data protection (like Switzerland or New Zealand) and under specific circumstances to “third countries” that are neither covered by GDPR nor have “adequate” levels of data protection (a level similar to GDPR). No one knows how the UK’s departure from the European Union will play out. Currently the UK is in the European Union and covered by GDPR. Possibly in the event of a “deal” (agreement) and after an agreed transition period, the UK will become a country deemed to have “adequate” levels of data protection akin to the GDPR and it will be relatively smooth sailing for transfers. In the event of the UK crashing out with no-deal it would perhaps become a “third country” for data transfer like Australia and controllers/processors may have to use specific procedures and clauses in processing agreement to regulate transfers data out of the EU to the UK. This would make things more difficult and definitely slower for business. No one can see the future so it’s a definite case of watch this space.

The GDPR is one year old, the world didn’t end and data protection compliance remains a journey rather than an end destination. _________________________________________________________________________________

Enguard can assist with the issues which GDPR raises from audit, security, staff training to drafting policies and procedure. For further details please call us at Enguard on 0818 252 052 or email We would love to hear from you!

Disclaimer: Please note the above article is an opinion piece based on current sources of information available at the time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers.

Kenneth BakerComment