Perhaps the element of the General Data Protection Regulation (‘GDPR’) that has garnered the most attention so far is the area of sanctions. Currently under the Data Protection Acts 1988 and 2003 (‘DPAs’) and the ePrivacy Regulations (SI 336 of 2011), the number of criminal offences in data protection law is relatively low. Further, while the possibility of personal criminal liability for company officers exists, such prosecutions have been rare. This may be set to change once the GDPR becomes law, which is now expected to be in mid-to-late 2018.
This article was first published by PDP Journals and should not be re-published on any other website or publication.