By Lewis Barr | Posted on April 25, 2018
The International Association of Privacy Professionals is the world’s largest information privacy organization. Last week, I attended IAPP’s data protection conference in London where UK Information Commissioner Elizabeth Denham and representatives from the data protection authorities (DPAs) of Ireland, France and the European Data Protection Supervisor (EDPS) spoke about their preparation for enforcing the EU General Data Protection Regulation once it takes effect on May 25 of this year. Not surprisingly, the regulators reminded us that there would be no grace period when it came to enforcing the law.
In her keynote speech, Commissioner Denham was keen to point out that her office would continue to engage with business to promote better data protection practices and to support international data flows and emphasized her belief that privacy and innovation go hand in hand. She spoke about the variety of enforcement tools that her office will deploy in response to finding GDPR violations, depending on the circumstances of the violations. These tools range from official warnings to compulsory audits and orders to stop processing. Commissioner Denham made it clear, however, that in the event of persistent negligence or deliberate flouting of the law, her office would not be shy in imposing appropriate fines.
All the DPAs present spoke of the work their respective offices have undertaken to get ready for May 25 and beyond. Beyond the guides and model tools that have been prepared and shared online by the regulators’ offices (e.g., UK ICO Guide to the GDPR, CNIL guidelines and PIA templates, and Ireland DPC resources), they have been hiring up staff and, in particular, expanding their complaint management departments. It is worth noting, in this regard, that the DPAs already receive and investigate a surprising number of complaints. For example, John O’Dwyer, Deputy Commissioner of the Office of the Data Commissioner for Ireland, stated that the Ireland DPA handled 2,500 complaints last year, but expects that number to increase significantly under the GDPR. The UK Information Commissioner’s Office (ICO), which has the largest staff of all the member state regulators, is planning on increasing the number of caseworkers handling complaints to 200 by 2020, with a total projected headcount increase for the office from 520 to 700, of which 60 will be engaged in enforcement with an equal number providing guidance to the public and privacy community.
With the myriad privacy challenges presented by developing technologies and the broad protection mandates for their agencies, the regulators all agreed on the need to focus their GDPR enforcement efforts on several areas of concern. For businesses with establishments or business markets in Ireland and the UK, the initial focuses of the Ireland and UK DPAs should be of particular interest. Commissioner Denham stated that the UK ICO will be focusing on cybersecurity, artificial intelligence (AI) — think algorithms and device tracking — and that her office will be developing a “regulatory sandbox” for developers to present AI proposals for privacy protection review. The Ireland DPA, Deputy Commissioner O’Dwyer, stated that important areas of focus for Ireland’s office will be transparency and the rights of children. The EDPS representative informed us that her office had been developing IT tools, such as common complaint formats, to support efficient information exchange and cooperation among EU member states in investigating and resolving complaints.
While some news organizations are focused on May 25 as the date on which the GDPR takes effect, the compliance and accountability work will be ongoing. As for the focus of companies under the aegis of the GDPR and the privacy professionals advising them, former UK Information Commissioner, Richard Thomas, nicely summed up what it should be during a discussion on managing privacy across the value chain by urging that we banish the use of the term “data subjects” and keep in mind that the GDPR is all about protecting people — men, women and children.
Why customer experience is essential to (C)IAM success.
Ten years ago identity and access…
From the barista who knows exactly how sweet you like your daily nonfat, caramel macchiato to the…
According to IBM, poor data quality costs U.S. businesses $3.1 trillion annually. This is…