5 Key Takeaways from the 2017 DPO Conference
1.“There will be significant fines”
The keynote speaker, Commissioner Cathal Ryan (ODPC) began with a clear rallying call: “Be proactive . . . get moving . . . otherwise it may be too late”, and ended with a re-commitment that “there will be significant fines”.
Speaking on the same day (26.01.17) that saw colleague Helen Dixon unveiling new and more extensive DPC offices across town, Commissioner Ryan reminded the audience how GDPR’s careful and measured use of wording (“infringements shall be subject to fines”) left little room for ambiguity. Whilst the tone was light and ‘working together’ messages predominated, he explained to the audience that “business as usual was not a sustainable strategy”. Meantime a cartoon played on-screen – “A regulatory body is here to see you” – depicting an onsite inspection in progress.
Illustration from the presentation given by Commissioner Cathal Ryan
2.“The world just got a lot more prescriptive”.
Ian Bourne from the UK ICO reviewed what was good, what was bad, and what had changed from before. “Previously, we didn’t really care how you complied – as long as you did”. The world had just become a lot more prescriptive, with black and white GDPR detail replacing interpretation in many areas. Everyone still needs advice and guidance, but with “territorial questions” now a key area of change, the GDPR still allows member state SA’s some leeway to steer and guide the delivery at the national level. Somewhere in between prescription and national guidance will be a happy medium but ultimately, the CJEU will refer to what is written in black and white.
3.The importance of Pseudonymisation & Anonymisation
The GDPR may run to 99 articles, but it’s only partially helpful for those seeking an insight into the complex IT techniques upon which compliance may depend. GDPR encourages the concept of “pseudonymisation” as a risk-reduction strategy (recital 26). Danielle Cussen from Wizuda explained how pseudonymisation enables organisations to use data for alternative purposes to those originally intended – as long as they’re legitimate – whilst still protecting the anonymity of the data subject. And what might ‘legitimate’ mean? Activities such as medical research, which are highly valuable to society, will become directly reliant on pseudonymisation as a technical enabler. She also discussed how another option is to anonymise data depending on the requirements which come out of an impact assessment. Data that is irreversibly anonymised is no longer deemed personal data (PII), and therefore is liberated from having to comply with GDPR. For most organisations, both solutions will need to figure in the technical toolkit for GDPR compliance.
4.The risk level will increase for Data Processors
Tricia Higgins highlighted the significant shift in accountability for organisations operating as “Data Processors”. Typically these might include 3rd party outsourced service providers who are processing data on behalf of a Data Controller. Under GDPR, Data Processors are now fully accountable for the GDPR compliance of the processing activities they conduct upon their customers’ data. The fines exposure is also identical regardless of whether you’re the Data Processor or the Controller, and Data Processors also have just 72 hours to notify the data subject(s) and SAs in case of a data breach. This is all in marked contrast to the previous directive, where the Data Controller side owned more of the responsibility for protecting personal data, and the Data Processor’s only concern was to comply with the processing contracts established between themselves and the data controllers.
5.Brexit wants a benign outcome for all sides
Looking into his post-Brexit crystal ball, Ian Bourne (ICO UK) (below) painted a picture of pragmatism during the period of regulatory uncertainty whilst the UK moves towards its long-term position upon exiting the EU. The high-level goal however, was to have “a benign outcome” for all sides. The non-alignment of timelines between GDPR and Article 50 means GDPR will happen regardless, for UK organisations. Thereafter, indications from a recent Commons Select Committee show something new at the UK level, and with a similar level of adequacy, is expected to come along to support continued access to the single market.
Ian Bourne (ICO UK) speaking with Wizuda CEO Brendan Rogan
To learn more about the successful launch of our new GDPR compliant data transfer at the DPO Conference, and to hear our Director of Data Services, Danielle Cussen’s speech from the day, see: https://wizuda.com/videos/