Commissioner ‘awaiting answers’ from INM on alleged data breach

Introduction of ‘enforcement toolkit’ for regulators long overdue, says Dixon

 Data Protection Commissioner Helen Dixon during the second annual Data Protection Conference Dublin Data Sec 2018 at the RDS in Dublin. Photograph: Gareth Chaney Collins

Data Protection Commissioner Helen Dixon during the second annual Data Protection Conference Dublin Data Sec 2018 at the RDS in Dublin. Photograph: Gareth Chaney Collins

 

Data Protection Commissioner Helen Dixon has said she is awaiting answers from INM to questions about the suspected data breach involving potentially millions of emails and files transferred to a third party.

Ms Dixon was speaking at an INM-sponsored conference, Dublin Data Sec 2018, at the RDS in Dublin on Monday. The commissioner addressed about 250 people on the subject of the EU General Data Protection Regulation (GDPR), which comes into force in May and which provides for enhanced transparency and accountability on the part of organisations who process personal data.

Speaking to media outside the event, Ms Dixon said she could not give a precise timeline for when her office’s investigation into the suspected data breach would begin, saying she was awaiting answers from INM to questions about the scope of the investigation.

She had been scheduled to speak before the news of the alleged breach broke and she told media there were “no issues whatsoever” in relation to her appearance at the event.

The commissioner said her office had accepted the invitation to speak several months ago, and it was “just one of several events to promote compliance with GDPR”.

The Office of the Director of Corporate Enforcement (ODCE) is to apply next week to have High Court inspectors appointed to INM on foot of concerns about the proposed purchase of Newstalk radio and an alleged data breach.

In her address, Ms Dixon acknowledged that some organisations working on their compliance programme for the new regulation were finding it challenging, and parts of it frustrating.

“But we all have to bear in mind what’s at stake here, ultimately, which is whether we are able to live in a world that benefits from innovation and modern ways of online working, while also preserving the individual’s right to dignity and data protection,” she said.

Ms Dixon said the introduction of “a full enforcement toolkit” for data protection authorities as well as a regime of “eye-watering fines” was “long overdue in terms of driving home the message that personal data cannot be negligently treated and misused”.

Her office would be taking account of proportionality issues when calculating fines, she said, conscious that a fine of a small amount on a small business, could cause “very significant consequences for businesses”.

“So the manner in which we calculate the quantums of any fines will take that into account.”

The commissioner also told the audience that, under Article 82 of the regulation, individuals would have the right to go to court for compensation where they had suffered damage as a result of an infringement of their data rights.

In opening remarks, INM’s technology editor Adrian Weckler noted there were only 46 days to go before the new regulation came into force on May 25th.

He said we lived in “extraordinary times”.

“Data protection has rarely had the sort of relevance or resonance for all of us – and I do mean all of us – as it has right now. Obviously we are meeting today as my own employer, INM, faces its own challenges in this area, with an affidavit before the courts and issues of data protection at stake,” he said.

“The board of INM says that they’re dealing with the issues raised and will respond in due course,” Mr Weckler added.

Irish physicist and internet pioneer Dr Dennis Jennings, chairman of the GDPR Awareness Coalition, said he believed “horrible things are going to emerge over time” about the uses of data.

“There is an enormous industry behind advertising, which is accumulating data by fair means and foul to profile people and to deliver advertising to them. It’s my belief that organisations which are using Facebook ‘like’ buttons, are not compliant with GDPR.”

Facebook was due to inform users on Monday whether they had been impacted by the issue involving third-party access to data that was ultimately passed on to the profiling company Cambridge Analytica ahead of the US presidential election in 2016.

The event was opened by Minister of State for Data Protection Pat Breen.