Dr. Dennis Jennings is co-chair of the Irish GDPR Awareness Coalition along with Garry Connolly, who founded the Coalition. It is vital that any company or organization operating in the EU, large or small, Foreign Direct Investment (FDI) or indigenous, or simply doing business with EU citizens, understand and properly implement the Data Protection and Privacy Rights (DP/PR) regime of the EU. The General Data Protection Regulation (GDPR) 2018 will significantly change existing European DP/PR rules, requirements and protections, as well as the fines that may be levied for a failure to comply – they can be MUCH greater.[i]
GDPR 2018 has 2 main goals:
The rationalization of DP/PR policy, implementation, interpretation and enforcement across the EU via a centralized regulator (presently, DP/PR implementation, interpretation and enforcement is left to each of the EU’s 28 member states); [ii] and,
To enhance DP/PR protections of and control by EU citizens.
The Coalition’s awareness raising focus is on SMEs of all sizes, from the single employee company on. Many of the FDI companies that have come and will come to Ireland are SMEs, and from personal experience I know that the EU’s DP/PR laws are often a new obligation for a non-European FDI company, particularly for American FDI companies, to comply with.
The Irish GDPR Awareness Coalition is a fixed-term, not-for-profit, organization of over 77 Partners and 101 Ambassadors representing leading Irish and International companies and organizations with a mandate to raise the awareness of SMEs and charitable organizations of the significant changes to Europe’s DP/PR Regime that will become the law in May 2018, and the need for them to prepare and implement these new regulations in a timely and compliant manner.
Dr. Dennis M. Jennings is an Irish physicist, academic, Internet pioneer, and early stage investor. In 1985–1986, he was responsible for the 3 critical decisions that shaped the subsequent development of the National Science Foundation Network (NSFNET), the network that became the Internet. For 22 years, Dr. Jennings was the director of Computing Services at the University College Dublin, responsible for the university’s IT infrastructure and staff. In 1986, while on leave from UCD he was interim President of the Consortium for Scientific Computing at the John von Neumann Center in Princeton, New Jersey, responsible for the start-up of its supercomputer center. He was the first Chairman of the Oversight Board of the Irish Centre for High-End Computing. He is currently the Chairman of the Board of Governors of the Royal Irish Academy of Music. In 2014, he became the first Irish person to be elected to the global Internet Society’s Internet Hall of Fame. Dr. Jennings co-chairs the Irish GDPR Coalition with Garry Connolly, who founded the initiative.
The impetus for the initiative was the feedback that Garry Connolly, President of Host in Ireland, received in 2016 from international companies thinking about setting up data hosting facilities in Ireland: “Is Ireland serious about Data Protection? Why is Ireland ranked so low in its awareness of the new EU Data Protection regulation?” It was clearly time to do something about that poor perception of Ireland, and the Coalition was established. Garry asked me to join as Co-Chair.
The Coalition is trying to do exactly as its name suggests – promote the awareness of GDPR among all organisations in the country – and the Coalition is as focused on “why” engagement is vital as it is on “how” to comply with the new GDPR requirements. Most large companies are taking this very seriously indeed. Many small companies and organisations have not even heard of GDPR! The Coalition is a gathering together of organisations that have customers and communities to serve – for example: the GAA, consultancy companies, telecommunications providers, software suppliers, equipment distributors, law firms, etc. There’s a full list of the current Partners on the website. Of course, the Coalition is not alone in trying to do this: The (much enhanced) Data Protection Commissioner’s office is very active, as is every major law firm, consulting company, and auditing firm.
Would you highlight some of the upcoming events and activities that the Irish GDPR Awareness Coalition plans to fulfill its mission?
The Coalition’s focus is on four activities:
Campaigning on Twitter and LinkedIn to bring GDPR and the Coalition to people’s attention;
Encouraging Coalition members to create a range of simple “Infographics” (one-page presentations) on GDPR for as wide a range of organisations as possible;
Developing a comprehensive calendar of all the Events and conferences planned over the coming months; and
Organising a GDPR Awareness Week (May 24th – 31st) of members’ events, with 17 nationwide events already set, culminating in a Coalition closing event on 31st May in the RDS in collaboration with the “IT, Data and Software Summit.”
GDPR 2018 will significantly change the Data Protection regulatory regime and rules across the EU. Can you give us your thoughts on the rationale of the European Commission in implementing GDPR 2018?
I think that the European Commission’s rationale is quite simple – the previous EU Directive was out of date and wasn’t working, in that the various data protection laws across Europe were too inconsistent and, in some case, too weak. In addition, the European Court of Justice has recently determined that Privacy is a ‘fundamental human right” and that data protection is core to that right. A single consistent law across the EU was required and a much more explicit assertion of a citizen’s right to control and access their own personal data.
Among the most important changes that GDPR 2018 will bring about is the “federalization” of Data Protection and Privacy Rights – companies doing business in the EU will no longer have to deal with separate DP/PR offices in each country. Can you comment on this and some of the other major changes that companies in Ireland will need to prepare for and implement for GDPR 2018?
That’s my understanding too. This means that the Irish Data Protection regimen, and Helen Dixon, the Irish Data Protection Commissioner, and her office, provide the key regulatory environment for Irish and multi-national companies operating here. Given the number and depth of the investments by the major search, social media, data hosting, and the other data-driven companies in Ireland, the effectiveness of that regimen and the resourcing of that office are quite crucial. Fortunately the Irish Government has significantly invested in the Commissioner’s office, and new recruitment has significantly enhanced and strengthened the resources available.
I suppose the key thing to be aware of is that personal data is essentially the property of the individual data subject, not the organisation that controls the data or that processes the data. Permission to use the data has to be properly obtained, and the usages specified. In general terms, data subjects must be able to review what personal data is held and correct errors; must be able to obtain their personal data when moving from one service provider to another; and must have the right to be forgotten when no longer using the services provided.
On the other hand, organisations that control or process data (including those international cloud-based hosting companies that process data for others) must: conduct Data Privacy Impact Assessments (DPIA) on all existing systems that process “sensitive” data, and conduct the same DPIA assessments and use “Privacy by Design” techniques when developing new systems; make sure that permissions are properly and explicitly obtained; hold the minimum data necessary; must ensure and take responsibility that all other data processing partners, wherever located, abide by the GDPR rules; have adequate data protection security; must (for large organisations) appoint a Data Protection Officer (DPO) at senior executive / board level; maintain, and make available for inspection and audit, comprehensive records of all processing of personal data; and, disclose any data breach within 72 hours of any loss of personal data. Penalties may be very severe – amounting to €20 million or 4% of total worldwide annual turnover (whichever is the greater) for very serious breaches.
In addition, and for the first time under Irish law, data subjects (either individually, or, most significantly, collectively under class action) will have a right to sue for non-material damage in addition to material damage arising from data privacy breaches. This is all pretty dramatic stuff!
The Irish GDPR Awareness Coalition has been sharing some great infographics on social media regarding the application of GDPR 2018 to businesses in Ireland. The message of the infographics is that GDPR 2018 applies to ANY company or organization that collects any information that may be considered Personal Data. The largest companies typically have personal with the expertise to understand, implement and respond to DP/PR issues and requirements, but it is unlikely that an SME in Ireland has similar capabilities. Awareness is Step 1. What steps does the Coalition suggest an Ireland-based SME take regarding GDPR 2018 once they’re aware of their obligations?
First, and most urgently, all organisations must clearly understand their obligations under this law: there is no grace period: I expect that the Data Protection Commissioner’s office will conduct inspections of large and small organisations as and from the 25th May 2018. There’s no “Ah! It won’t apply to us, and anyway, they’ll not expect us to be ready in time, and surely we’ll have months after that to sort ourselves out.”
The precise obligations depend of course on what data you control and process, or have processed, how “sensitive’ that data is, and the scale of your operations. SME’s do need to treat this seriously – now – and make sure they do really understand their obligations. Clearly for smaller organisations that process little personal data, the responsibilities are not as onerous as for major global corporations the business of which rely on the processing and manipulation of vast amount of personal data!
Then, the obvious next step: Do an audit: What personal data do you hold? Do you hold “sensitive” data? Why do you hold it? Do you have to hold it or can your processes be modified so that you don’t have to hold that data? How do you process it? Have you explicit permission to hold and process that data? Is it correct? What data do you “share” with others, and have you permission to do so, are they GDPR prepared and compliant, and are you prepared to accept liability for their processing of that data on your behalf? Can your data subjects get their personal data from you on request – and, in that context, what of your processed data (if any) are they entitled to access? Are comprehensive records of processing kept and ready for inspection? And so on.
Then, prioritise the results of the audit, allocate budget and resources, and get on with it. The clock is ticking, and May 2018 is only a year away.
Will SME’s be able to contact the Coalition or perhaps find on the Coalition’s website information on further resources and expertise they can contact to assist them in their implementation of GDPR 2018?
The Coalition’s website is the first port of call. I think that the Infographics are very helpful, and the Calendar of Events should be consulted to find a conference, or seminar, or briefing that can help your SME. In addition, the Partners of the Coalition may be able to assist directly with products or services, especially if you are already one of their clients or customers. There is also of course a growing amount of quite detailed information available on the Internet from a number of organisations. And, of course, consult your professional advisors (and get the advice in writing) – but, do remember, that your advisors are not responsible for your compliance with GDPR – you are.
Dr. Jennings, many thanks for your thoughts and insights, and the Coalition and its Partners for their work on what is a very important issue for any company doing business in Ireland.