A Special Report is content that is edited and produced by the Special Reports unit within The Irish Times Content Studio. It is supported by advertisers who may contribute to the report, but who do not have editorial control.

Is enough being done to enforce EU data protection laws?

With fines of up to €20 million for data breaches, organisations are realising the seriousness of handling data, to the benefit of the consumer

GDPR enhances rights for individuals who now have a greater say in how their personal data is collected and processed by organisations. Photograph: iStock

GDPR enhances rights for individuals who now have a greater say in how their personal data is collected and processed by organisations. Photograph: iStock

 

Whether you’re an IT expert or merely an online shopper, GDPR won’t have passed you by. An EU directive, the General Data Protection Regulation came into force in Ireland in May 2018 and has had a major impact on how data is managed and protected in the Republic.

Eighteen months later, is enough being done to enforce the regulations? And what will Brexit mean for GDPR?

Kevin Curran, professor of cybersecurity at Ulster University, explains the introduction of GDPR ushered in a new paradigm in data management.

“Previously, if you were chief technical officer, it was difficult to get investment in data systems from senior managers because they thought unless there was a breach, there was no problem,” he explains.

“It was all about the bottom line but now that organisations can be fined up to €20 million, or 4 per cent of turnover, management have realised the seriousness of handling data, especially personally identifying data. Companies have to invest more, they have to do more audits, they have to have the proper software.”

Society as a whole has thus benefitted from the raft of obligations and accountability GDPR has placed on businesses who collect and process personal data, Curran adds.

“Everything is more transparent and fairer, and it has made it easier for consumers because companies can’t use nefarious practices like before, such as sharing data with third parties.”

GDPR represents a significant evolution of the 1995 rules on data protection rules, says Erik O’Donovan, Ibec’s head of digital economy policy.

“It enhances rights for individuals who now have a greater say in how their personal data is collected and processed by organisations,” he says.

When it comes to cybersecurity, the regulation is clear that in terms of managing any potential risk from data breaches, organisations must develop a data breach prevention, detection and reporting framework. Businesses must enable individuals to exercise their rights, implement technical and organisational controls to manage potential risks posed to individuals’ rights, and demonstrate compliance, O’Donovan explains. The GDPR also provides for greater sanctions and enforcement powers for data protection authorities, he adds.

Raised the stakes

Fergal Crehan, data protection officer with Three Ireland, agrees that GDPR raised the stakes for non-compliance and forced many businesses to take their data protection obligations more seriously.

“I think businesses are more aware now that personal data can’t simply be harvested and allowed to sit in a database but is something that they have a legal duty to manage securely and responsibly,” he says.

But policing GDPR compliance is another matter entirely. While Curran admits the average small to medium business does not appear to have been targeted to any major degree as of yet, the likes of Facebook and Google being hit with enormous fines for non-compliance has acted as a warning message for those who are not fully compliant with the regulation.

“These fines went into the hundreds of millions. As the regulation matures and we see more data breaches in the future where it was clear they didn’t handle the data properly, we will see fines and it will be enforced, there is no doubt about that.”

The Data Protection Commissioner’s recent findings against the Department of Employment Affairs and Social Protection are also hugely significant, adds Crehan.

“They highlight that no entity that processes personal data is above the law, even if that entity is part of the Government itself. The next step is to move to enforce these findings. I think that will send a message that data controllers have to actually fix non-compliance, even if it is expensive and inconvenient to do so,” he says.

Currently, GDPR enables the free movement of personal data across the EU, including Ireland and the UK. Understandably, there are fears that this will come to a juddering halt in the event of a no-deal Brexit. If Brexit occurs without any deal, then the UK could become a so-called “third country”, meaning it is not deemed a safe place for the data of EU citizens and thus subject to stricter data transfer rules.

“Obviously, there is still a major degree of uncertainty around Brexit. A no-deal Brexit scenario would create a range of new barriers to the transfer of data between the EU and UK, including Northern Ireland,” says O’Donovan. Curran adds that this could have a major impact on trade in Northern Ireland.

If the UK becomes a third country outside of the EEA, including the EU, additional “appropriate safeguards” will be required to permit EEA-UK transfers of personal data. One such common transfer-safeguard mechanism is the use of an approved standard contractual clause between a data exporter and importer, explains O’Donovan, adding that Ibec and the Data Protection Commission have held a number of joint briefings for businesses on this issue.

Impacts of Brexit

According to Crehan, data transfers are one of the most underestimated impacts of Brexit.

“A withdrawal agreement will allow for those data transfers to continue in the interim, but in the long term the EU may decide that the UK is not a safe destination for EU data. This threatens the UK data industry, but also presents a challenge for EU businesses who use UK vendors,” he explains. Such businesses should look into putting appropriate contractual arrangements in place or, in the long term, moving to EU suppliers, he adds.

The best case scenario is that the UK is given what is known as “adequacy status” – this is awarded to countries outside the EU that can prove they use the same type of good practice in data management and more or less abide by GDPR rules. Countries who have availed of this include Israel, Isle of Man, Faroe Islands, Switzerland and Jersey.

“The UK is hoping for that because it means they can just copy and paste and will still be for all intents and purposes an EU country when it comes to data management,” says Curran. “There is always the risk that they will be treated as a third country but when it comes to it, I don’t think that will happen.”