Citizens’ data and GDPR compliance
Ahead of the implementation of the EU General Data Protection Regulation (GDPR) in May 2018, Ciarán Galway speaks with the man leading engagement with private and public-sector organisations, providing guidance on its practical application and driving compliance, Deputy Data Protection Commissioner Dale Sunderland.
At a global level, there has been an enhanced focus on privacy and data protection rights. At the heart of this is an understanding that everyone has their own private identity and space. This is can be highly personal information including an individual’s lifestyle habits, where they work, where they go in their spare time and what they browse and buy online. Every facet of an individual’s life can be classified as personal data.
In most countries around the world, to some degree or other, there are legislated rules and regulations which protect citizens’ data privacy rights. The GDPR unambiguously states that any information which can be used to identify an individual is classified as personal data.
Appointed as Deputy Data Protection Commissioner for Ireland in May 2016, Sunderland has responsibility for the consultation, communications and corporate functions of the Data Protection Commissioner’s Office. He explains: “The EU has set a very high bar around the protection people have of their personal data. At a European level, it has been elevated to the status of a human right and Article 8 of the EU Charter of Fundamental Rights provides a right of all individuals to have their personal data protected. This was enshrined in Irish law by the Lisbon Treaty.”
The new EU legal framework, the GDPR, will replace an existing 1995 data protection directive with a modernised code, reflective of the evolving technological climate. “Technology is marching ahead and there was a need for the legal framework to keep up with that and indeed replace it with something which can evolve and is capable of regulating how personal data is used in an increasingly technological world,” Sunderland comments.
Under the GDPR, there is an obligation on organisations to collect, store and process information in a compliant manner. The GDPR gives enhanced rights to individuals, including the right to access data, the right to have data erased in certain circumstances and the right to port data from one service provider to another.
“The purpose of GDPR, at its heart, is to put individuals back in the driving seat of maintaining control over their digital identity by ensuring that the information that organisations collect is done on a lawful, fair and proportionate basis, that it is only used for the purposes it was collected, that it is only kept as long as it is needed and it is kept correct and accurate. They’re some of the principles, which while not new, are certainly reinforced. The GDPR gives an entirely new impetus to data protection in a European context,” Sunderland asserts.
Data protection authority
Under European law and the Charter of Fundamental Rights, each country is required to have an independent authority responsible for upholding the data protection rights of individuals. In Ireland, that authority is the Data Protection Commissioner. “We hold a very onerous and responsible position. Our roles and responsibilities are given further expression under the 1995 directive, but have now been very clearly prescribed under the GDPR. We must act entirely independently in our role. We will be responsible for ensuring the proper application of the GDPR when it comes into effect, and with the GDPR comes an enhanced suite of investigatory and enforcement tools to ensure where there is non-compliance, we can investigate it and where appropriate impose sanctions,” he states.
On one hand, the Office of the Data Protection Commissioner performs a consultative function, engaging with both public and private sector organisations. “We are very positive about that and open to giving guidance and advice on questions that might help organisations bring their data processing, products or services into compliance before they hit the market or are implemented.
“Our aim is to drive awareness of data protection requirements and to drive compliant implementation of projects, products and services. This minimises any potential risk to individuals, but also benefits organisations, because having worked with us and having received advice, they can then proceed with more certainty around compliance with data protection law,” notes the Deputy DPC.
“The purpose of GDPR, at its heart, is to put individuals back in the driving seat in order to control their digital identity by ensuring that the information that organisations collect is done on a lawful basis…”
On the other hand, the Office investigates complaints and where risks to the data privacy rights of individuals or issues of non-compliance are identified, it can then take enforcement action under GDPR. “Under the GDPR, we will have the power to can compel organisations to take certain measures to bring themselves back into compliance and where we believe that an organisation will commence the processing of data in a non-compliant way, we will have the ability to issue an order to prevent them from doing so. It’s a greatly enhanced enforcement toolkit.”
It is important to note, however, that under the GDPR, accountability lies with organisations. “It’s not just about the Data Protection Commissioner assuming a policemanlike role and finding or rooting-out instances of non-compliance. We will of course be proactive in identifying and responding to instance of non-compliance whether they come to us through complaints, audits or issues we’ve identified ourselves based on an assessment of the risk to individuals. But very significantly the GDPR places a central emphasis on organisations being compliant and being able to demonstrate to us that they are compliant.
“That is where we are going to be emphasising our efforts and our focus as we move into the GDPR. We will be engaging with organisations in high risk areas to demonstrate their compliance with GDPR to us. For organisations to be compliant by 25 May 2018 they will need to be proactively working on readiness programmes, teasing through the detail of the data they collect and process now, and if they’re holding any data now, ensuring they have a lawful basis and if they don’t then they need to work through a remedial process to bring themselves back into compliance. That work should be currently ongoing,” stresses Sunderland.
SMEs
The office of the DPC regulates in the region of 100,000 entities in Ireland ranging from corner-shops to multinationals and as such, engages with representative bodies such as Ibec, the Small Firms Association and Retail Excellence, to drive out the message to their membership about GDPR.
“On 25 May this year, we released the results of a survey focused particularly on SMEs. While it showed that there was some awareness of the GDPR, there was a very low level of preparedness or action being taken,” says Sunderland.
To help build awareness a specific microsite, dedicated to GDPR www.GDPRandYou.ie and with a particular focus on the SME sector, was launched by the DPC. “We have created visuals and videos with the purpose of grabbing the attention of organisations who may not be aware yet or those who do not know where to start, and to then provide materials and resources to help organisations to assess what action is needed in order to get ready.
“Over the coming months, we’re going to continue to proactively work with public sector organisations, industry bodies and representative associations to build awareness. Obviously, SMEs are going to be at the core of that. We are entering into a critical phase around awareness raising and over the coming months you will see a number of other initiatives from this Office around guidance, in order to build and keep the momentum going.
“While preparing for the GDPR does present significant challenges for organisations that in itself is not a reason to fail to meet the 25 May deadline. But if an organisation can demonstrate what they’re doing to bring themselves into compliance this could be hugely important when it comes to looking at sanctioning powers. Where there’s a genuine commitment and real demonstration of progress being made, it will be taken into consideration as to how we might view any particular failure to meet the GDPR standard.”
It is also important to bear in mind that there is an emphasis on a risk-based approach within the GDPR. As such, a small organisation that does not collect or maintain a large volume of personal information and where there is a low risk to the data protection rights of the individual will have straightforward compliance obligations compared with an organisation which, for example, collects and retains health or financial data.
Public sector
Within the public sector, there is a growing impetus behind preparation for the GDPR. This is welcomed by the DPC “because we believe that there is a significant degree of work yet to be done within the public sector to ensure that public authorities will be in a position to fully comply from next May”.
The GDPR will result in a transition from a more traditional perspective within some public-sector organisations regarding the role of data protection and where it fits in the overall scheme of their responsibilities and obligations as public authorities. “That may be reflective of how integral data has become to organisations, but yet, there is a mindset change which, while starting to evolve has some way to go to ensure that data protection becomes more than a simple tick-box exercise or simply something that you need to be concerned about if you’re in the process of providing a customer facing service.
“There’s a higher bar for public sector bodies processing personal information, given the position they hold within society and that asymmetry in the power a public-sector body has compared to an individual member of the public,” outlines Sunderland.
Multinationals
The GDPR provides for a harmonious and consistent approach to the interpretation and implementation of data protection regulation by supervisory authorities across the EU. There are various co-operation and consistency mechanisms built into the GDPR. There is also a concept of Lead Supervisory Authority, which relates to where a company has its main establishment within the EU.
“It’s the choice of the company whether they establish in such a way to avail of this option which is called the ‘one-stop-shop’. What it means is, if a large US multinational with a European headquarters here in Ireland, but with operations in all the other member states, can demonstrate that the means and purposes for which the data is being processed, are being decided upon here and they have a presence of substance, they can declare Ireland as their main establishment,” explains Sunderland.
The benefit to the organisation is that they generally can deal exclusively with one country’s authority, as their lead regulator. This means that, if there is a complaint or an issue of non-compliance which is identified in Germany or Austria, it can be dealt with, in the first instance, by the DPC as the lead data protection authority.
However, any other concerned data protection authority must be notified about the complaint being handled. “They must also be kept up to date on our investigation and be shown our draft findings. This is so that they have an awareness of the issue is being handled by the DPC and if they have a reasoned and relative objection in terms of our findings, they can seek to have that escalated to the new European Data Protection Board which can then review findings and make a determination.
“To avail of the one-stop-shop, a company will have to have a presence of substance in a member state. So, in terms of an idea of forum shopping or deciding which member state “suits” a company best, in practice that should not and will not work. There is a high bar to determine what constitutes a company’s main establishment in order to avail of this mechanism which allows it to have a single interlocuter instead of 28.”
Expansion of workload
The workload of the Office of the DPC has continued to increase and it now processes approximately 1,400 individual complaints on an annual basis. “We are certainly picking up that there is a greater concern among individuals regarding how their data is being used, especially how the public sector is collecting and using data,” emphasises Sunderland.
“Perhaps one of the game changing aspects of the GDPR is that it will drive all organisations to be much more transparent in the data they collect, why they are collecting it, who they are going to share it with and how long they are going to keep it for. That can only be to the benefit of individuals, but also to the organisations themselves.”
Meanwhile, as virtually all global tech giants have established operations in Ireland, many of these being European operations, the international spotlight has shone onto the Irish data protection authority.
“There is an acknowledgement by the Government in terms of the ongoing support of the DPC through an increased budget that the continuing presence of multinationals in Ireland, in part, relies upon a stable, effective regulatory environment and an independent, professional and well-resourced regulator. Part of having a data protection environment conducive to the continuing growth of the digital economy and presence of international companies who operate intensively in the data space, is ensuring a DPC that is well-resourced and competent to perform its regulatory functions.” The size of the DPC will reach approximately 90 staff by the end of 2017 and using its increased 2018 budget allocation the DPC plans to recruit a further 40 staff including additional specialists in areas such as law, technology, communications and policy analysis.
In the new year, following publication of the forthcoming Data Protection Bill which will give further effect to aspects of the GDPR in Irish legislation, we will be speaking again with the Data Protection Commissioner’s office to look at some of the key provisions of the bill and the implications for the data processing operations of public sector bodies in particular.