5 Key Takeaways from the 2017 DPO Conference

1.“There will be significant fines”

The keynote speaker, Commissioner Cathal Ryan (ODPC) began with a clear rallying call: “Be proactive . . . get moving . . . otherwise it may be too late”, and ended with a re-commitment that “there will be significant fines”.

Speaking on the same day (26.01.17) that saw colleague Helen Dixon unveiling new and more extensive DPC offices across town, Commissioner Ryan reminded the audience how GDPR’s careful and measured use of wording (“infringements shall be subject to fines”) left little room for ambiguity. Whilst the tone was light and ‘working together’ messages predominated, he explained to the audience that “business as usual was not a sustainable strategy”. Meantime a cartoon played on-screen – “A regulatory body is here to see you” – depicting an onsite inspection in progress.

Illustration from the presentation given by Commissioner Cathal Ryan

2.“The world just got a lot more prescriptive”.

Ian Bourne from the UK ICO reviewed what was good, what was bad, and what had changed from before. “Previously, we didn’t really care how you complied – as long as you did”. The world had just become a lot more prescriptive, with black and white GDPR detail replacing interpretation in many areas. Everyone still needs advice and guidance, but with “territorial questions” now a key area of change, the GDPR still allows member state SA’s some leeway to steer and guide the delivery at the national level. Somewhere in between prescription and national guidance will be a happy medium but ultimately, the CJEU will refer to what is written in black and white.

3.The importance of Pseudonymisation & Anonymisation

The GDPR may run to 99 articles, but it’s only partially helpful for those seeking an insight into the complex IT techniques upon which compliance may depend. GDPR encourages the concept of “pseudonymisation” as a risk-reduction strategy (recital 26). Danielle Cussen from Wizuda explained how pseudonymisation enables organisations to use data for alternative purposes to those originally intended – as long as they’re legitimate – whilst still protecting the anonymity of the data subject. And what might ‘legitimate’ mean? Activities such as medical research, which are highly valuable to society, will become directly reliant on pseudonymisation as a technical enabler. She also discussed how another option is to anonymise data depending on the requirements which come out of an impact assessment. Data that is irreversibly anonymised is no longer deemed personal data (PII), and therefore is liberated from having to comply with GDPR. For most organisations, both solutions will need to figure in the technical toolkit for GDPR compliance.

4.The risk level will increase for Data Processors

Tricia Higgins highlighted the significant shift in accountability for organisations operating as “Data Processors”. Typically these might include 3^rd party outsourced service providers who are processing data on behalf of a Data Controller. Under GDPR, Data Processors are now fully accountable for the GDPR compliance of the processing activities they conduct upon their customers’ data. The fines exposure is also identical regardless of whether you’re the Data Processor or the Controller, and Data Processors also have just 72 hours to notify the data subject(s) and SAs in case of a data breach. This is all in marked contrast to the previous directive, where the Data Controller side owned more of the responsibility for protecting personal data, and the Data Processor’s only concern was to comply with the processing contracts established between themselves and the data controllers.

5.Brexit wants a benign outcome for all sides

Looking into his post-Brexit crystal ball, Ian Bourne (ICO UK) (below) painted a picture of pragmatism during the period of regulatory uncertainty whilst the UK moves towards its long-term position upon exiting the EU. The high-level goal however, was to have “a benign outcome” for all sides. The non-alignment of timelines between GDPR and Article 50 means GDPR will happen regardless, for UK organisations. Thereafter, indications from a recent Commons Select Committee show something new at the UK level, and with a similar level of adequacy, is expected to come along to support continued access to the single market.

Ian Bourne (ICO UK) speaking with Wizuda CEO Brendan Rogan

To learn more about the successful launch of our new GDPR compliant data transfer at the DPO Conference, and to hear our Director of Data Services, Danielle Cussen’s speech from the day, see: https://wizuda.com/videos/

The board of a multinational medical device organisation required a secure, cloud-based solution which facilitated virtual board member collaboration on key documents in preparation for monthly board meetings.

The documentation was regularly of a highly commercially sensitive nature, largely relating to ongoing clinical trials, and as such demanded a secure and encrypted platform which could be implemented without the engagement of internal IT resources.

Key challenges that need to be considered:

Geographically dispersed stakeholders
Highly commercially sensitive documentation
No internal IT involvement
Multiple stakeholders required to collaborate on
single documents

Wizuda MFT gave them a centralised view of all their file transfer activities and a network overview of the data flows. IT now had instantly available reporting and could provide geographic maps and network overviews to senior management of all file transfer activities in the organisation. These could also be categorised in ways that made sense for the business from a priorities perspective. Wizuda’s unique ‘Health Check’ dashboard with automated monitoring and alerts, allowed them to manage all transfer operations proactively and ensured they were always on top of any issues.

From a GDPR compliance perspective, transfers could be linked to Data Protection Impact Assessments were required and data could be anonymised as part of the transfer process. Wizuda MFT enabled them to apply the latest security protocols for file transfers and encrypt data at rest and in transit. Passing cyber-security and GDPR compliance audits became a lot easier.

About Wizuda

Developing IT Solutions to Make Businesses Better

At Wizuda we focus on developing IT solutions which help businesses grow and empower people to collaborate and stay connected securely and compliantly. Specialists in secure data transfer since 2001, all development and support operations are carried out from our two Irish

offices located in Dublin (Wizuda Headquarters) and Limerick. We pride ourselves in developing software solutions that allow organisations to take back control of their file transfer and data sharing operations, enabling them to operate efficiently, securely and compliantly