"Enforcing the GDPR
Where stands the Irish Data Protection Commission?
In our latest blog, Deputy Commissioner Dale Sunderland sets out the Data Protection Commission’s approach to enforcing the GDPR
In this final countdown to the General Data Protection Regulation,
with over 90% awareness among businesses in Ireland of this new EU data
protection law, it’s no surprise that attention is increasingly zoning
in on the consequences of the being found in contravention of the GDPR.
With this comes the quite reasonable question of what the Irish data
protection authority’s (DPC Ireland) approach will be to enforcement in
the coming weeks, months and years?
The GDPR will apply in full from the 25th May and, as the national supervisory authority for Ireland, the Data Protection Commission (DPC) will be responsible for monitoring the proper application of all aspects of the new law by all organisations and businesses located in Ireland. This includes the multinational companies with their EU headquarters in Ireland and for whom the Irish data protection authority will be the EU Lead Supervisory Authority, as well as non-EU based companies whose services and products target EU users and who nominate a representative in Ireland under Article 27 of the GDPR.
From this coming Friday, DPC Ireland’s obligation to monitor the implementation of the GDPR will kick in. As we are mandated to do, we will be carrying out our greatly expanded role under the GDPR using all of the supervisory and enforcement tools at our disposal. At one end of the scale, this will include DPC Ireland’s longstanding engaged supervision approach to dealing with organisations to drive compliance with the law, especially in advance of the implementation and roll-out of new products or services involving the processing of personal data. At the other end of the regulatory spectrum, we will be taking enforcement action against infringements as necessary and proportionate.
“In the early days of GDPR will there be a bedding in period where the DPC takes a more lenient approach to non-compliance?” is a question we are very often asked. The simple reality is that no provision has been made in law for a grace period from compliance with the GDPR post 25th May. In fact, that period commenced two years ago when the text of the GDPR was finalised.
But let’s not dwell on what can’t be changed. The much more important message we want to hit home is; regardless of whether an infringement of the GDPR arises on 25th May 2018 or 25th May 2019, an organisation can minimise and mitigate against the potential consequences and sanctions that they could face. Influential factors in this regard will include the ongoing state of health of the organisation’s GDPR compliance programme; a genuine commitment and best efforts to meeting their GDPR obligations; the scale and impact of any infringement that may arise; whether the organisation was negligent or wilfully in breach; and readiness to engage openly and transparently with both the Data Protection Commission and the individuals whose data they process.
It must also be emphasised that apart from any interaction a business may have with the DPC, from 25th May individuals may seek compensation from the Irish Courts in their own right for breaches of GDPR in respect of the handling of their data.
Setting enforcement priorities
While our investigative and enforcement activities will be primarily directed by complaints and breach notifications received by DPC Ireland, we will also have the power to commence at our own initiation investigations in order to tackle infringements or potential infringements of the GDPR that we have identified. Action in these areas will be largely framed within the context of the GDPR’s risk-based approach to data protection compliance. Accordingly, from 25th May, to ensure best use of our resources in the interests of achieving the best outcomes for individuals, we will be focusing on areas of greatest impact and risk to the data protection rights of individuals.
In particular, we will be targeting our supervisory and enforcement activities at organisations and sectors operating in both the private and public sectors that are involved in large-scale data processing activities that constitute a high risk. This may include organisations which engage in intensive online tracking and profiling; online internet platforms (including online apps); organisations which process special categories of data such as health or biometric data or other high-risk personal data such as financial and insurance data; companies which use emerging technologies such as Artificial Intelligence and Internet of Things, or which are intensively engaged in automated decision making and profiling of individuals.
Which GDPR provisions to prioritise for supervision and enforcement?
In setting priorities, we must also look to the GDPR which provides some guidance as to the hierarchy and distinction that is to be made between the various obligations of data controllers in the context of an infringement and maximum quantum of the administrative fine that may be imposed. Article 83 of the GDPR sets out the conditions for the imposition of fines. Those elements of the GDPR which may be subject to the highest range of fines (up to €20 million or 4% of global annual turnover) include infringements related to the principles of data protection, the lawfulness of processing, conditions for consent and data subject rights such as transparency, right of access, right to rectification and right to object.
While the level of a fine will always be determined against the “nature, gravity and duration” of the infringement, Article 83 in setting out two tiers of maximum fines is a clear pointer for data protection authorities as to those elements of the GPDR that carry most weight.
The supervision and enforcement activities of DPC Ireland, therefore, will also be prioritised towards ensuring that organisations comply with the rights of data subjects, that the principles of data protection are respected, and that organisations are fully transparent in terms of the data they collect and process, the lawful basis on which the data is processed and the purpose(s) for which the data is processed.
As we have previously stated publicly, we will be targeting our early GDPR supervision and enforcement activities on compliance with the transparency obligation given its centrality to ensuring that individuals can easily understand what, how and why their data is being processed.
Consistency in supervision and enforcement
Supervision and enforcement action by DPC Ireland will be pursued in full accordance with the provisions of the GDPR and the Irish Data Protection Act 2018 which together set out in detail the procedural steps that must be followed in the course of an investigation and imposition of a sanction.
The Irish Data Protection Act, in making a clear distinction between the investigative and adjudication/sanctioning functions of the DPC, provides a “checks and balances” process that will serve to protect the integrity of our investigations and decisions on sanctions. It also provides the DPC with an internal mechanism to ensure consistency when making determinations on infringements and the application of sanctions.
Consistency in interpretation and enforcement of the GDPR will be further achieved through DPC Ireland’s participation in the new European Data Protection Board (EDPB).
We are committed to playing a central role in drafting EDPB guidance papers, following on from our lead rapporteur roles on the Article 29 Working Party’s published transparency guidelines and guidelines currently in preparation on Codes of Conduct and the use of the contractual necessity basis for lawful processing.
We will participate fully in the GDPR’s cooperation mechanism between Lead Supervisory Authorities and other concerned data protection authorities in the context of the investigations relating to multinational companies operating in more than one EU Member State.
We will actively encourage industry sectors to pursue GDPR codes of conduct at national and pan-European level which will set down sectoral wide frameworks for GDPR compliance; and we will pursue implementation of GDPR certifications, seals and marks which will provide standards, mechanisms and tools for organisations to demonstrate compliance with the GDPR.
As the GDPR is a principles-based, technology-neutral regulation, many of its provisions have and will continue to generate debate as to interpretation and application, particularly where emerging technologies are concerned. We fully appreciate this reality and that notwithstanding the best efforts of data protection authorities to get it right, the ultimate role of the courts in the coming years in interpreting the GDPR must be acknowledged.
For our part, DPC Ireland will apply our supervisory and enforcement powers with impartiality, fairness, transparency and in accordance with due process and fair procedures. The rest is up to the companies and organisations that process personal data to meet the GDPR standard and to be accountable in demonstrating compliance.
In the final analysis, the businesses and organisations leading the pack in navigating the requirements of the GDPR and meeting the GDPR standard will be those that are committed to data protection compliance at the top management level and who have proactively sought to build awareness and embed a data protection culture at all levels of the organisation."