The GDPR (General Data Protection Regulation) is an EU Regulation which governs data protection law for EU member states. It came into operation in May 2018 and the Department continuously works towards full compliance with the requirements of the GDPR.
Many procedures and processes have been introduced since that time in order to comply with the GDPR requirements including :
- Appointment of a Data Protection Officer - Article 37 of GDPR
- Data breach reporting to the Data Protection Commission (DPC) – Article 33 of GDPR
- Processing of Subject Access Requests – Article 15 of GDPR
- Compilation of a Record of Processing Activities – Article 30 of GDPR
- Examination of data transfers to third countries – Articles 44-49 of GDPR
- Undertaking Data Protection Impact Assessments – Article 35 of GDPR
- Increasing awareness of data protection and information security – Article 32 of GDPR
Procedures in relation to the use of Data Processors, under Article 29 of the GDPR, have been incorporated into revised template contracts, updated by the Office of Government Procurement in 2018, for use by all Government Departments. Data Processors are only provided with access to information that they specifically need to carry out their contracts. Confidentiality in relation to this information is provided for in the written contract.
The Department is also fully ISO 27001 certified and annex 9 is included in the statement of applicability for that certification.