Wednesday 04 October 2017

Daragh O'Brien

Daragh O’Brien has almost seventeen years’ experience in Data Quality and Data Governance roles across a variety of industries. He spent a number of years in roles with operational responsibility for Single View of Customer strategy and regulatory governance in the telecommunications sector. Daragh has contributed to Irish Government policy development on Data Protection and Data Governance, and Freedom of Information. He is also a regular media commentator in Ireland and internationally on data management-related issues.

Let’s get some myths and half-truths out of the way early in this article.

 

  1. The GDPR won’t apply to all Public Sector bodies.

The GDPR applies to the processing of data about people in any context outside of a purely domestic context. Therefore, it applies to all Public Sector bodies.

It applies to the processing of personal data, which has been defined even more broadly in the Regulation than in the Data Protection Directive and Data Protection Acts that it will replace. The broader definition in the GDPR, combined with recent CJEU case law effectively means that the scope of what constitutes personal data can include anything that can directly or indirectly identify an individual. For example, the unique identifier associated with the SIM card in your mobile phone can indirectly identify you and allow you, your movements, the people you associate with, and other data about you to be singled out of a data set.

So, it pays to start paying attention now to the types of data you are handling in your day-to-day activities and determining if you can directly or indirectly identify people from the records. If you can, it’s time to start taking action to get ready for GDPR.

 

  1. The two-year countdown starts in 2018.

The GDPR in in force now, but becomes enforceable at midnight on Friday 25 May 2018.

As the DPC has recently felt the need to point out, there is no “sunrise” period for GDPR from 2018. This is it. You are in it. It is nearly over (in project management terms, at least). If you don’t believe me, visit https://www.timeanddate.com/date/workdays.html and see how many working days there are between now and 24 May 2018 (GDPR minus 1 day).

It’s less than you think.

Prudent organisations are now beginning to develop a sense of urgency over GDPR. Less sensible ones are starting to panic. Even less sensible ones are still ignoring it and hoping it will go away.

 

  1. Nothing needs to be done until the Data Protection Bill is passed into law

The enactment, or otherwise, of the Data Protection Bill has no impact on the enforceability of rights or the introduction of obligations under the GDPR. It is an EU Regulation and therefore applies with direct effect. All the Data Protection Bill can do in the context of the GDPR is give effect to a number of areas of local variation in Member State law, and to ensure some Articles can be implemented effectively in domestic law. But, if we don’t have a Data Protection Act replacing the current legislation, the GDPR will still be the law.

The Data Protection Bill does affect the application and implementation of the Data Protection Directive for Law Enforcement. But it’s a directive. It does not have direct effect. So, for those in a law enforcement function, there will be a need for domestic legislation to give effect to the changes in the EU Data Protection regime that affect law enforcement. But the core principles espoused in the Directive for Law Enforcement are broadly the same as those in the GDPR, so hanging on until the last minute might not be a prudent course of action.

By focussing on the big ticket issues in the GDPR (purpose specification and limitation, governance, documentation of processing activities, etc.) you can get some traction on the tasks necessary for ensuring your law enforcement functions are ready ahead of the legislation to give effect to the Data Protection Directive for Law Enforcement.

Bear in mind – the Law Enforcement Directive applies only to the law enforcement functions of your organisation (if you have any). All other processing of personal data falls under the GDPR.

 

  1. Public Sector bodies are exempt from penalties under GDPR.

I’ve had a number of people (who should know better) tell me that Public Sector organisations will be exempt from administrative fines under the GDPR.

This is bunkum. There is a proposal in the draft Heads of the Data Protection Bill. It is a proposal that is publicly opposed by the DPC, has raised concerns on the part of Digital Rights Ireland, and has been questioned by independent Data Privacy consultants, such as myself.

Even if it wasn’t bunkum, it’s worth bearing in mind that your organisation would still face the very real prospect of being sued by people who are affected by any breach of the GDPR’s principles. And the Data Protection Commissioner has a range of other enforcement tools available under GDPR (and the Law Enforcement Directive).

 

  1. The Data Protection Directive for Law Enforcement will only apply to the Gardaí

“If it is ‘law enforcement’, it must just mean the Gardaí” is a comment we have heard recently.

Unfortunately, not so. Quite a lot of Public Sector bodies have law enforcement functions, as they are

competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.[i]

 

If your organisation levies fines or other criminal sanctions against individuals, then your organisation has a law enforcement function. Examples would include planning enforcement, litter enforcement, TV licence enforcement, or even obscure offences such as the offence of “failure to follow an instruction” issued by a Local Authority (which is an offence, even if the thing you have been instructed to do or not do is not an offence).

So, what kind of criminal sanctions might you be levying that might bring the Data Protection Directive for Law Enforcement to your door?

 

 

Getting down to the nitty gritty

So, what should people in organisations be doing?

 

One: Familiarise yourself with the principles of the GDPR. Take careful note of how security is just one of the principles. Be very careful not to conflate or confuse Data Protection/Privacy with Security. The Data Protection agenda is much broader! It’s also important to understand how the core principles in Article 5 are reflected in, and are given effect by, a number of other Articles.

 

Two: Get a handle on when, where, and why your department or section is processing data about people or data that could be used to identify people. It might not be obvious. But knowing where it is, why you have it, and what you are using it for can help you meet your obligations under Article 30 of the GDPR. It can also help you identify any immediate issues and risks relating to the security of that data as it is being processed – and bear in mind that the GDPR and Data Protection Directive for Law Enforcement apply to both electronic and paper records.

 

Three: Have a look at what you are telling people you will use their data for. A key aspect of GDPR is fairness, lawfulness, and transparency of processing. While the Law Enforcement Directive doesn’t require transparency to the same extent, it still will require clarity as to what basis you are relying on for processing data. And if your organisation has both law enforcement and non-law enforcement functions, you’ll need to be crystal clear about what rules are applying in what circumstances.

 

Four: Understand the grounds on which you are sharing data with other organisations, and examine the mechanisms by which data is being transferred between your organisation and others. The GDPR, combined with the Bara ruling from the CJEU, create a very clear set of principles that require even Public Sector organisations to identify the categories of organisation with whom data is being shared, and the basis for it. It’s important to bear in mind that the GDPR removes the “Legitimate Interest of the Data Controller” basis from Public Bodies, meaning that the DPC’s guidance that sharing requires an appropriate statutory basis becomes even more important to heed.

On that note, it is also important to remember that the statutory basis you are relying on needs to be both necessary and proportionate. So, legislation granting broad powers to request data from other organisations may need to be revisited and, at a minimum, the approach to exercising those powers will need to become more constrained in the scale and breadth of data that might be requested.

It is also going to be inevitable that a number of high-profile public sector projects will likely face challenges complying, given the difficulty some organisations appear to have had understanding the actual facts and implications of the Bara ruling and the impact of the GDPR.

 

Five: Finally, you need to bear in mind that Data Privacy is a Fundamental Right[ii] in the EU and is increasingly being recognised as such in other jurisdictions as well. Security is one aspect of the right, but ensuring that there is a balanced approach to protecting the privacy of people that enables them enjoy other rights is an essential element of the objectives of the GDPR. If you apply “privacy by design” and put the Citizen at the centre, it becomes easier to understand and apply the principles of the GDPR to your day-to-day processing and for you to do what you can in your role to improve the balancing of the right to data privacy with the need to process data.

Education is a fundamental part of that. Public Sector bodies need to ensure that staff are educated and trained in core GDPR principles and that a clear vision for the value of data privacy and meeting data protection standards is communicated in the organisation.

 

That way, everyone can move forward based on facts, not bunkum myths and half-truths about GDPR.

 

Notes


[i] As per Directive2016/680, available here.

[ii] View the European Convention of Human Rights, s.1, Art.8, available here.