The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Delivering Accountability under the General Data Protection Regulation

The Centre for Information Policy Leadership (CIPL), in collaboration with the Irish Data Protection Commissioner, hosted a practical workshop addressing how organisations can deliver accountability under the General Data Protection Regulation (GDPR).
This free and practical hands-on event highlighted and demonstrated accountability in practice, through interactive discussions and presentations for SMEs and the Public Sector.
This workshop covered how to implement essential elements of accountability throughout organisations of all sizes and was broken down into the following sessions:

Session I: How can Controllers and Processors Build Accountability under the GDPR: Documentation & Demonstration

This session centered on examples and practical demonstrations of how controllers and processors of all sizes are delivering accountability, focusing on documenting data processing and demonstrating accountability. 
  • What is the role of the GDPR’s documentation requirements in relation to data processing? How does recordkeeping look like in practice? How should tagging and recordkeeping regarding sensitive data be handled?
  • How can organisations, including SMEs, demonstrate accountability internally and externally (internal data protection programs, data protection certifications, codes of conduct and BCR)?

Facebook Exercise I: Language Matters

In this exercise, audience members were placed into groups to discuss & amend a sample “terms and conditions” in order to learn about the importance of clear and simple language.

Session II: Risk Management and Data Protection Impact Assessments (Part I) and Case Studies on Privacy by Design (Part II)

In Part I, discussion leads demonstrated how to conduct risk assessments, DPIAs and legitimate interest balancing tests.
  • How can organisations determine whether a processing operation presents a risk or high risk to individuals requiring a DPIA under the GDPR?
In Part II, discussion leads demonstrated privacy-by-design, building on the DPIA discussion in the previous session and using practical examples and case studies, including an intelligent personal assistant (Siri).
  • What are the relevant steps in designing data protection into a product or service?
  • What are the key challenges?

Session III: Tabletop: Preparing for and Managing Security Breaches 

This session centred on a tabletop demonstration of how to prepare policies and procedures and handle a data breach and notification to individuals and the DPA.
  • What is the role of data security in preventing personal data breaches? 
  • How can organisations prepare for the event of a breach?  
  • What are best practices for responding to a breach and for breach notification to DPAs and individuals?
  • When and how should DPAs and individuals be notified?

Facebook Exercise II: Peer Review

In this exercise, audience members were placed into groups to review current notices that appear on mobile apps in order to discuss & evaluate transparency.

Session IV: Transparency, Individual Rights and Complaint Handling

This session provided practical examples of how to implement key individual rights under the GDPR.
  • What is transparency under the GDPR and how can information be provided to individuals in different contexts in clear, understandable, concise and innovative ways?    
  • What are best practices for responding to individuals requesting the rights of access, rectification, objection, erasure, blocking and data portability?
  • How can organisations comply with the right not to be subject to automated decision making? 
  • How should an accountable organization respond to complaints?

 Session 4 Slides