GDPR: 'With 46 days to go, I feel in equal measure terrified and excited' – Helen Dixon
Ireland's Data Protection Commissioner said today she is both "terrified and excited" in equal measure about the onset of General Data Protection Regulation rules, which will come into force on May 25.
Helen Dixon was speaking at Dublin Data Sec 2018, the second annual data protection conference organised by the Irish Independent and Independent.ie.
The EU-wide regime updates and overhauls European data protection law, and all companies and organisations that process the data of EU residents are obliged to comply with the new requirements.
"The GDPR is specifically structured to place responsibility on organisations," Ms Dixon said.
"Organisations now need to know that there will be a way of holding them to account if they do not shoulder responsibility".
On the subject of fines - businesses or organisations could face fines of up to €20m or 4pc of annual global turnover for non-compliance with the regulation, whichever is the largest figure – Ms Dixon said that they were necessary "to grab the attention of industry".
"It is the threat of sanctions that has woken people up to the need to comply [with the legislation]”.
On the subject of the looming deadline, Ms Dixon said that May 25 will come and go "and nothing will happen some people say, but sooner or later failure to demonstrate and implement accountability will catch-up with your organisation in some form or another".
"No organisation can afford to take the risk of not implementing".
Ms Dixon went on to say that those best placed to conduct the analysis on their organisations compliance with the regulation were "those in the relevant organisations themselves".
"Issues arise when organisations don’t think before they act, and don’t take the time to implement the legislation," she said.
In addition, she cautioned that while it was "essential" to put in place the various parts of the law, "these will all amount to nothing if your front-line staff do not understand the GDPR and if you fail to mitigate against the risks".
On this subject, Ms Dixon said that organisations need to have a clear internet and system for staff, clear disciplinary actions for employee misuse of data, and a plan for exiting staff that would have had access to data.
For organisations that may have left things late, Ms Dixon said that "now is a better time to start getting ready than later, start with Art 30 then conduct Art 24 Risk Assessment, then prioritise and sequence actions that your organisation needs to take".
"Project management skills are required to implement the GDPR effectively."
The issue of transparency is another issue that entities need to take care of under Art 12-14, Ms Dixon told delegates at the event.
On the subject of enforcement, Ms Dixon said that it had to be "effective, proportionate, and dissuasive".
"We retain an obligation to handle every complaint we receive from an individual," she said.
However, she said that in the majority of cases, the Commissioner would "will aim to amicably resolve the issue".
"We are aware that a fine of a small amount on a small business could be significant for that business," she added.
Ms Dixon finished by advising businesses to "keep the faith in preparations and have a plan".
The DPC is currently undertaking a "scoping exercise" before progressing with a targeted investigation following a major suspected data breach at Independent News & Media.
This is separate to another investigation by the Office of the Director of Corporate Enforcement which next Monday will ask the High Court to appoint inspectors to investigate the suspected data breach and a range of other corporate governance issues at the company.
Today’s event was opened by Pat Breen, Minister of State for Trade, Employment, Business, EU Digital Single Market and Data Protection.
Minister Breen told delegates that GDPR "is very near and the time for preparing for it is running low".
"It’s not too late, that is the message that we all need to observe today, there is a really good awareness out there," he said.
"We need to realise that we are leaving a digital footprint in cyber space that can be used to identify needs and wants of consumer needs and wants in society, but every citizen must have the confidence that their data is being used safely and responsibly."