In a session at the IAPP Data Protection Intensive here in London today, representatives from four European data protection authorities offices were on hand to share some insights into what their offices are doing to prepare for the General Data Protection Regulation's forthcoming implementation, and judging by the number of folks standing in the back of the largest breakout session room on site, the DPAs were just the folks privacy professionals were hoping to hear from, and moderator John Bowman of Promontory was going to be sure to press them on the topics causing a collective rise in caffeine intake and dip in sleep-able hours.
While privacy professionals and companies have been working to get their processes in order, so too have the regulators who are tasked with watching over those processes. What that's meant for the Irish, French and U.K. data protection authorities has been an increase in staff and budget across the board. The CNIL has seen the most subtle change there, hiring two new jobs but largely deploying internal resources for the oversight tasks the GDPR will present. The Irish Data Protection Commissioner's office saw a significant increase. When Deputy Commissioner John O'Dwyer started at the DPC in 2011, it had 30 staffers and was getting 1.7 million euros a year. It's now staffing up to 140, and its budget is 12 million. O'Dwyer is responsible for enforcement, audits and BCRs and said he's been "beefing up resources in each one of those areas to be ready for the first complaint we receive."
At the European Data Protection Supervisor's office, which will serve as the hub for the newly created European Data Protection Board, at the dissolution of the Article 29 Working Party, Isabelle Vereecken said they have set up a new department dedicated specifically to EDPB matters and comprising 20 people. It's also in the process of testing out its new IT system, one which will allow for the facilitation of cross-border data exchanges between data protection authorities.
At the U.K.'s ICO, as Commissioner Elizabeth Denham outlined in her keynote address yesterday, they have been using increased budget and staff to set up its breach-notification hotline, ensuring it has the capacity to deal with the opening of the floodgates on May 26 and also some of the logistics: What happens if it gets a breach notification on a Sunday afternoon at 2 p.m.? Does it have the ability to support that?
But, okay, on to the burning question everyone captured by the GDPR wants to know: What will you do with us if we fail? While Denham's address seemed aimed at alleviating those concerns, assuring that May 25 is just a date and doesn't mean the ICO starts dishing out fines when the clock strikes midnight, the DPAs on hand for this panel struck a different pose.
O'Dwyer said once Ireland's national legislation, bringing it in line with the GDPR, is passed through both houses of government, it's game on. "There is no grace period. The grace period ends the 25th of May." Fining powers are new for the Irish DPC, however, so "bringing companies into compliance might be a bigger burden on a company" than a fine even would, he said. As might directing a company to halt its data processing if it's found to be non-compliant, because that might "have huge implications for the company and their day-to-day business."
While fines are a new and powerful tool, it's not the only one "in the box, and we will be looking at what's proportionate and what's the proper thing to do to vindicate the rights of individuals whose rights are being infringed upon. Certainly the priority will be to get the company into compliance with the GDPR. The fines will be a strong tool in getting that enforcement message across."
The CNIL's Karin Kiefer, head of enforcement and litigation, noted the Article 29 Working Party, which has been issuing guidelines for GDPR compliance for a year or so, said DPAs will work together to establish some ground rules for when a fine is the appropriate action or if other corrective measures should be considered.
"It's very important to ensure the concept of the equivalency of guidelines" across member states, she said, adding a task force is working together on how fines should be calculated, "and it's a work in progress. We need to find a consensus ... by cooperating, discussing and exchanging information."
The DPC's O'Dwyer said the Irish regulator will be concentrating "in areas we see resistance by the companies in relation to transparency, in relation to showing us legal basis for processing and also in relation to the special rights of children."
The ICO's Deputy Commissioner of Operations James Dipple-Johnstone said, "Accountability is key in all of this. ... The vast majority of our work will be guidance recommendations and advice rather than the fines."
The DPAs are anticipating dispute resolution to be a game changer for the European courts. Decisions made by DPAs may be challenged in national courts, but courts cannot invalidate an EDPB decision, they can only refer questions of GDPR interpretation to the EU's Court of Justice.
"Yes, we expect to have much more cases," said Kiefer.
ICO's Dipple-Johnstone was clear: There isn't room for idling now. Yes, the regulator will focus on risk and evaluate things on a case-by-case basis, but, come May 25, "we will be looking to apply the rules."
If you want to comment on this post, you need to login.