On Friday 24 April, PAI hosted a breakfast briefing addressing the imminent deployment of the General Data Protection Regulations (GDPR) on 25 May.
Three speakers spoke about data governance and the use of data for better services.
Sharon-Dillon Lyons spoke about where our attentions should lie in the month running up to the end of May.
Data Protection, she noted, is not new. We already adhere to legislative provisions for the protection of the right to privacy for individuals. The GDPR is not “reinventing the wheel”, it is a continuation and strengthening of the core principles already in place. “It’s not as though some terrifying audit will take place across Europe on 25 May,” she said, stressing the importance of focusing on continued, ongoing compliance. GDPR is a “living” obligation.
The first draft of the 2018 Data Protection Bill that would transpose the Regulation failed to carry through the high fines, as set out in the GDPR, for government departments. This was a difficult issue for the Office of the Data Protection Commissioner, an independent office. Fines under the new systems are supposed to be “effective, proportionate and dissuasive”. As a result, the second draft of the Bill set out a €1 million maximum fine for public bodies. Ms Dillon-Lyons noted that financial cost is not the only risk for contravention – reputational damage and loss of stakeholder trust are important considerations where a breach is concerned.
There is also the further concern of litigation from those whose data has been breached. Up until now, there hasn’t been much litigation in the area of Data Protection. Ms Dillon-Lyons begged the question, “why?” The threshold, at the moment, is reasonably high. To have a successful claim, you must be able to show that you have accrued damages. Will this change after May, with the right of action to the circuit court under the Regulation? There is no longer the burden of proving damages as a result of a breach. In fact, Ms Dillon-Lyons believe that “non-punitive loss actions will have a better cultural effect than any legislation”.
It might also be wise to plan for retrospectively seeking consent for any ongoing processes, as per the Article 29 Working Party’s recommendation.
A cause for concern, she commented, is that there is a tendency towards a “tunnelled view of preparing”. People in the area of Data Protection are aware and ready for the Regulations, but this does not always go beyond that. There isn’t a “network effort” to examine the organisation as a whole and map where all the data is. By pulling in voices from all departments, you can ensure there are “adequate operational policies” as opposed to top-down policy that is out of touch with how the organisation is actually run.
“Does everyone in the organisation know what their specific jobs?”
Finally, you should put in place immediate response plans for breaches of IT systems and physical storage of data.
Martin Mannion, of Deloitte, spoke about the ways big data can be used to construct a 360° model of the citizen. “Between the dawn of civilisation and the year 2003, we amassed five exabytes of data. We are now creating that every two days”.
Martin discussed the limitations of traditional storage of data, and presented the idea of using parallelism across a cluster of machines to create a horizontally-scalable system for storage of raw data. This is not only more cost-effective, but presents benefits for processing of the data. As the data is retained in its original, unfiltered form, it can easily be reanalysed at a later date in different ways. There is “no need to predefine a data scheme before loading”; you can store more than data tables, but audio and visual files.
This set up would serve as the basis for a Citizen 360° system. This would seek to use all of the various types of data available to build a solid image of a citizen. This system would look to improve engagement in a very powerful way.
The usability of this system would make rectification and erasure of citizens’ data much easier, as it would all be held in one centralised portal. For example, a similar system is in place in British Columbia, Canada, where all social services share information on a single platform to aid in providing better services to its citizens.
So, if this was to be employed here, “what do we need to consider? How can we employ this while staying compliant?” Role-based auditing would help ensure that information could not be accessed by anyone who shouldn’t be, or changed without due need. Cyber-security, as well as physical data safety, would be of highest importance.
The final speaker of the day was Gurchand Singh, head of the data analytics team at An Garda Síochána. He began his presentation by assuring the crows, “data, in of itself, has no intrinsic value”. The value is in the application of that data, and the end purpose.
Mr Singh’s presentation aimed to illustrate the ways that data can be used to drive better public services and trust in public institutions.
By way of illustration, he spoke about a campaign undertaken by the team surrounding the area of home burglaries. They took information from the Garda Pulse system, hoping to “come back with an evidence-based analysis of what’s going on”, and provide “a data-driven response”. They collated the data, and noticed a pattern: burglaries were more frequent in the darker months. There were clear clusters of events in certain areas. They also noted that houses that were burglarised were often targeted again in the months that followed. They used these summations to develop and deploy community programmes and higher officer footfall in effected areas. As a result, they slowed the rapid rise of crimes of this type.
Mr Singh believes that data quality is highly important. He asked, “if your data is inaccurate or out of date, why are you holding it?”
He also believes that a well-rounded data analyst should always have an interest in the human side of data, and data protection principles. Data analysts often become myopic when presented with a large collection of data; they want to extract as much information as possible, and analyse it in as many ways as possible. When this happens, the rights of individuals can fall by the wayside. A key concern should always be “not only the possibilities, but also the limits of what we can do with the data”.
In terms of preparing and continuing compliance with the GDPR, it is certainly important to have plans. It is not, however, the most important thing.
“You can have lots of strategies, but culture eats strategy for breakfast”.