In this newsletter, we discuss reporting processes and breaches in the new GDPR business landscape, the EU’s proposed response to data flows post-Brexit, and how new technologies are being considered to aid firms with compliance. There is also information about how you can participate in our yearly Data Protection Survey.
To date, the Irish DPC has not made public any cases it has concluded under the 2018 Data Protection Act and no civil actions have made it to the courts. As such the interpretations and decisions made during GDPR projects remain unvalidated.
Reports to the Data Protection Commission
Developments in Irish legislation
Minister for Health, Simon Harris, has introduced the Health Research Regulations. The Data Sharing and Governance Bill 2018, sponsored by Paschal Donohoe is currently before the Seanad.
Lawful processing of special category data
We understand that a number of organisations are seeking to use public interest as a lawful basis of processing special category data. This requires a separate regulation for each instance and these regulations will need to pass through the Dáil and Seanad. We expect this process may suffer delays and result in some organisations accepting the risk that they do not have a lawful basis for processing in the short term.
The change in reporting thresholds has caused confusion and uncertainty for some data controllers. Pre-GDPR guidance encouraged ‘high-risk’ types of breaches to be reported to the DPC. In the new legislation, we are simply told that breach reporting is not required where the breach is ‘unlikely’ to result in a risk to the rights and freedoms of the data subjects involved.
It’s not an easy decision as to where an organisation sets the bar for data breach reporting. If too many low-risk data breaches are reported, there is the chance of over-reporting and attracting unwarranted focus from the DPC. The flip side is that if you don’t report an event the DPC could deem you have not met your reporting obligations Hopefully this will become clearer over the next few months.
Brexit and GDPR
On August 29th, the EU released the study; The future EU-UK relationship. It analysed how data flows between the UK and EU will be impacted by Brexit. It concludes: The current legislation will not allow data flows between the UK and EU as:
An adequacy decision would largely meet the requirements of the private sector. However, the process to grant an adequacy decision can only start post-Brexit and will take time.
An adequacy decision will not suffice for public sector data sharing which is underpinned by a myriad of EU legislation which will no longer apply in the UK.
The report recommends that an initial standstill period is agreed to allow time for a bespoke data sharing arrangement to be defined, drafted and passed into law in the UK and EU.
Technology investments to support compliance
Larger organisations generally updated their high-risk core platforms to account for GDPR in advance of May 25th. We see that many organisations are now assigning a budget for 2019 to GDPR related technology. Based on a straw poll of our clients, the most common problems that organisations are seeking to use the tchnology to address are:
Searching and controlling data in unstructured systems such as email and file shares
Reduction/ Removal of the manual effort associated with processing SAR, including redaction
Implementation of retention policies
Governance tools to support the GDPR accountability principles.
It is not yet clear whether effective solutions are available for individual organisations. In addition, the business requirements for these solutions are not yet fully understood, in some instances, it is too early to define a business case. It seems many vendors are selling solutions that have been developed or significantly updated recently. Some of these solutions are not yet mature and there appear to be many version updates coming in Q4 2018. At this point putting an envelope for spend in the 2019 budget may be sensible. How it will be used may be less clear.
Project tail - 5 most common areas where GDPR project activities remain outstanding:
Establishing and implementing retention policies and schedules
Obtaining agreement on Data Processing Agreements / Data Sharing Agreements
Management of unstructured data in email and file shares
Publishing and enforcing policies and processes in front line departments and teams
Completing legitimate interest assessments and DPIAs
It has been five years since the GDPR came fully into force. We now have a good idea of how data protection will be interpreted and should be applied. We also understand that it's always a moving target with internal organisation changes, external guidance, sanctions, and judgement needing to be understood and addressed.
In a recent article for The Irish Compliance Quarterly, Kian Caulwell, Partner, Head of Financial Services Consulting at Mazars and a member of the Compliance Institute’s Consumer Protection Working Group outlines the opportunities and challenges of being a compliance officer in an early-stage firm.