GDPR is fundamentally not a tech challenge, it is a people challenge,
April 5, 2017
Data Protection Commissioner Helen Dixon has one of the busiest jobs in Irish public, preparing her rapidly expanding office for the challenges of the implementation of one of the largest-ever changes to how business is done in Ireland.
The General Data Protection Regulation (GDPR) comes into effect across Europe in May 2018 and in many ways will be equivalent in scale and scope to the implementation of Health & Safety regulations in the latter half of the 20th century - Dixon believes the way we do business will never be the same again.
"The GDPR is big news because it can't be business as usual for any type of company or public sector body after May 2018. If it is business as usual after that point, there will be consequences for companies and organisations, whether they are big or small, public or private, and those consequences will be very significant. Consumers may seek compensation from organisations if they consider their data protection rights have been breached; Data Protection Authorities may enforce against organisations, including very significant fines; and if that happens we will be publishing the fact of the fine and the reason for the fine, meaning organisations may also suffer from reputational damage", she said.
Fit for purpose
It is clear that complying with the GDPR is going to involve significant changes for organisations, and it is also clear why the changes are necessary for a 21st-century economy and society - when the Data Protection Regulations that the GDPR replaces were written 'big data' companies did not really exist. Google was in its infancy, while Facebook, Twitter, LinkedIn and dozens of others had not yet been created. Dixon says that a fit-for-purpose regulatory environment needs to be created that can cope with the challenges to privacy faced by individuals, while also recognising the benefits that these companies can offer private individuals.
"It's very clear that the reason the EU Commission proposed this regulation as far back as 2012 is because of the challenges in securing and safeguarding personal data due to rapid technological developments. All sorts of public and private bodies are processing our personal information on an unprecedented level and the rights of individuals do need to be vigorously protected in that context, while also not stifling innovation or preventing citizens from getting the benefits that we might derive from technology," she said.
As Dixon explains, the main concept behind the GDPR is about allowing individuals to have greater control over how their personal data is collected and processed while listing and expanding their rights under the law. This includes the right to clear and transparent information from organisations which collect and process their personal data; the right to access personal data and know what data is held on them; the right to erasure; and the right to data portability.
All of the rights will have clear benefits to consumers, but one regularly overlooked one is the right to data portability. This is, in essence, telling a company that you want them to securely transfer specific data they hold on you to another company - which will make a big change in industries such as banking, insurance, utilities and telecommunications. The new law will mean consumers can require that their information to be transferred easily between operators and should lead to an increase in competition.
The flip-side of the rapid expansion of consumers rights is going to be an ever more rapid increase in the obligations on organisations in order to deliver on those rights for individuals - in particular requiring organisations to be accountable to consumers and to be accountable to data protection authorities which supervise them.
The types of obligations include making their policies for retention of personal data clear; obtaining explicit consent from individuals if they want to store sensitive personal data such as health data; and responding to requests from individuals on what personal data is held on them within 30 days. For many organisations within Ireland there will also be a requirement to appoint a Data Protection Officer (DPO), to publish the contact details for that DPO on their website and make sure consumers have a means of contacting them.
"Record-keeping under the GDPR will be a big part of compliance, and organisations will have to be able to produce their documentation on demand by Data Protection Authorities, and to individuals where necessary, in order to demonstrate how they are carrying out all of these responsibilities and more - it is about putting the individual at the centre and more in control of their data", she said.
Dixon says that one of the fundamental misunderstandings about the new regulation is the belief that it only applies to tech companies - but every organisation in the EU (or who holds data belonging to an EU citizen) is going to be subject to it.
"We say now that every organisation is a technology organisation - even your local sandwich bar has an electronic till and is processing credit card details, and most organisations now have a website. The GDPR is about individuals knowing what information is held on them, how long it is going to be held for and how that information is going to be used. There will be technological solutions to some of the challenges posed to businesses by the GDPR, but fundamentally this is not a tech challenge, it is a people challenge," she said.
Given the poor understanding and compliance with data protection laws, it is safe to say that compliance with the strictest data protection rules in the world is going to be a challenge for Irish businesses and organisations large and small. The office of the Data Protection Commissioner has a busy few years ahead.
Helen Dixon is a speaker at the DataSec 2017 conference, which takes place on May 3 in the RDS, Dublin. The event will provide expert speakers, information and insight to help businesses comply with GDPR and get the most out of the new legislation.
The DataSec 2017 conference takes place on 3rd of May in the RDS in Dublin.