Compliance with GDPR EU requirements is an ongoing process that changes over time in line with new and emerging data protection requirements. My Department and the Offices under its aegis have a number of comprehensive processes in place to meet the compliance requirements of the GDPR and data protection laws. This includes a full-time dedicated Data Protection Officer, general and specifically tailored training courses for staff and regular reviews of data protection compliance in the various Business Units across my Department involved in personal data processing activities.
In addition, my Department and the Offices under its aegis have implemented a number of specific protocols to deal with issues such as personal data breaches, data protection privacy statements, privacy notices, data protection impact assessments and also regularly engages with Data Protection Commission, the Irish Data Protection Supervisory Authority, to ensure that it meets the data protection compliance requirements of new or changing data protection practices.
The EU Network and Information Security Directive is focused on a number of identified critical sectors (energy, transport, water, health, digital infrastructure, finance, online market-places, cloud and online search engines) and is not directly applicable to my Department.
In relation to Annex 9 of ISO 27001, my Department does not have formal certification against the standard. However, an independent review of my Department’s cyber security practices found that, of the 14 compliance areas under Annex 9 of ISO 27001, my Department was fully compliant with 10 of those compliance areas, and it has since achieved full compliance with 12 areas. My Department is also compliant in respect of its operational practices with the remaining two compliance areas, but does not have formal policies in place to reflect that practice. These will be put in place shortly.