I propose to take Questions Nos. 200 to 202, inclusive, together.
The EU General Data Protection Regulation (GDPR) was enacted on 24 May 2016 and came into direct legal effect in all EU Member States, including Ireland, on 25 May 2018. My Department recognises the need to treat all personal data in an appropriate and lawful manner and is committed to complying with its obligations in this regard. In this context, a suite of GDPR and Data Protection policies have been rolled out in my Department including an overall Data Protection Policy; a Subject Access Request Policy; a Data Breach Policy; a Data Protection Impact Assessment Policy; and a Data Retention Policy.
A Data Protection Officer (DPO) has been appointed as required by the GDPR. The Department’s DPO is currently an Assistant Principal who works in the Department's Corporate Office. The Department is well advanced in the recruitment of an Assistant Principal who will fulfil the DPO role on a full-time basis. More generally, the Deputy may wish to note that over 300 staff in my Department have attended GDPR training over the past 6 months.
Under the GDPR, any individual has the right to request details on personal data my Department may hold about them and this can be done by submitting a Subject Access Request. The details on how a Subject Access Request can be made to my Department can be found on its website. It is the responsibility of each body under the aegis of my Department to ensure they have appropriate policies and procedures in place for dealing with Subject Access Requests and all other GDPR related obligations.
Article 35 of the GDPR makes provision for the undertaking of a Data Protection Impact Assessment (DPIA) in certain instances. A DPIA is a privacy-related impact assessment that enhances my Department’s objective to identify and analyse how data privacy might be affected by certain actions or activities. A policy of completing DPIAs where required was put in place in my Department prior to GDPR coming into effect. Five DPIAs have been completed by my Department since 25 May 2018.