Boards beware: GDPR is more than mega fines
Time is running out and there are no quick fixes, writes Group Business Editor Dearbhail McDonald
WHAT’S the difference between Y2K (aka the Millennium bug) and GDPR? ‘GDPR is actually happening’ is the punchline to the current gag circulating in nervous corporate circles just now. What the two phenomena share are months of alarm, followed by feverish, last-minute preparations and the emergence of a fleet of gurus.
In the end, few major failures occurred in the Y2K transition from December 31, 1999, to January 1, 2000. But companies that fail to address data protection compliance obligations could, in a worst case scenario, face huge fines for breaches of GDPR.
There are, in fact, two tiers of administrative fines under the new General Data Protection Regulation (GDPR), which has major implications for businesses processing data belonging to EU citizens — irrespective of their location.
Some contraventions will be subject to administrative fines of up to €10m or, in the case of undertakings, 2pc of global turnover, whichever is the higher. Others will be subject to administrative fines of up to €20m or, in the case of undertakings, 4pc of global turnover, whichever is the higher.
For Data Protection Commissioner Helen Dixon, whose office will oversee the implementation in Ireland of the biggest European Union overhaul of data protection laws, the Y2K analogy is a poor one.
“First of all, there is no patch or system fix that you can stick on and say you’re ready,” says Dixon. “Those that are perpetuating the Y2K analogy are those that are unprepared.”
Maximum administrative fines aside, (it will take a number of years for the system to normalise), the new data protection regime presents a series of risks for companies. These include corrective orders, warnings, reputational risks as well as litigation from data subjects where there has been a breach of their personal data rights under the GDPR.
One of the greatest risks for companies will lie in the identification and notification of a data security breach — and that’s before they seek to contain the public fallout of a major breach. Dixon’s office, which recorded a 26pc increase in the number of valid data security breaches last year, is steeling itself for an “exponential” surge in reports, by companies and public sector bodies, of data protection breaches.
At present, reporting of data breaches is subject to a voluntary code and has been utilised, in the main, by financial services companies.
However, from May 25, reporting of breaches not later than 72 hours after the company becomes aware of the breach — even this clause will cause a headache for many companies — will become mandatory.
“The most significant thing around breaches, notification of breaches or any other aspects of the GDPR is that accountability lies with the organisation,” says Dixon.
“We have been saying for a long time that boards need to be aware of GDPR and need to understand the risks to the reputation of the organisation if it fails to comply, of monetary fines, as well as the fact that individuals will have a much greater right to go to court and seek compensation where there have been contraventions.
“We will have the power and the obligation in some cases to impose very serious and heavy-duty fines. So the board needs to be aware at those levels.” Dixon says that every single person in a given organisation — public, private or charity (including religious organisations) — needs to be able to identify a subject access request.
Similarly, every employee in the organisation needs to identify when they’ve committed a data breach, especially if it is potentially notifiable.
But what happens when an employee exercises their rights as a data subject against their employer? This is not a hypothetical question.
Last year aggrieved employees facing dismissal or disciplinary proceedings helped fuel a record rise in data access complaints to the Office of the Data Protection Commissioner (DPC).
In 2016, the number of complaints surged by almost 80pc, from 1,479 in 2016 to 2,642 in 2017, with access rights accounting for the largest single category (52pc).
Dixon says the DPC is increasingly being called to mediate disputes between employees and employers. “The best results are where we see it through to an amicable solution, if at all possible,” said Dixon, who denied workers were misusing Ireland’s data protection laws to go “fishing” for material.
Data access requests and discovery of material held by an employer are, however, featuring increasingly in litigation and employment law disputes. The High Court recently considered the novel issue of whether it should order a person to disclose documents which they do not hold but can obtain by exercising their access rights under the Data Protection Directive (EU Directive 95/46/EC).
The court concluded that a party may be directed to disclose all documents requested in discovery that are reasonably available to them by means of a data subject access request.
BY virtue of the sheer number of tech giants and other multinationals with European HQs here, Ireland has become something of a global Petri dish for some of the biggest existential debates surrounding data and privacy, as well as security and intelligence.
The demise of the EU-US ‘Safe Harbour’ began in an Irish courtroom before struck down by the Court of Justice of the European Union (CJEU) in October 2015.
Its successor, the so-called ‘Privacy Shield’ which allows companies to move the data of Europeans to the US with relative ease, has its own, widely acknowledged flaws.
The transfer of personal data to the US under the standard contractual clauses mechanism (SCCs) is the focus of a major referral to the CJEU in a case involving the DPC, Facebook and Austrian lawyer Max Schrems.
Dixon sought a referral in the Irish High Court after reaching a draft view that Schrems had raised “well-founded” objections over the transfer of his personal data to the US.
The case has cost her office some €2m for legal and related expert fees so far.
The referral also comes at a time when the Supreme Court in the US is considering whether emails stored by tech giant Microsoft at a data centre in Ireland are subject to US law.
The key regulatory role played by the DPC is partly the reason why multinationals are banging down her door on GDPR.
It also explains why her €7.5m budget is to increase to €11.7m this year, making Ireland’s DPC one of the most authoritative and best-resourced data protection authorities in Europe.
One area where Dixon will not be able to wield mega administrative fines is on public sector bodies, despite the fact that it is the State and its collection, use and retention of personal data that causes major concerns.
Will we have a two-tier system if the public sector is exempt from deterrent fines?
Dixon, who set up a Special Investigations Unit two years ago — which has investigated bodies such as hospitals and government departments — argued for the inclusion of public sector bodies.
Opponents say fines on public sector bodies will mean money circling around the Exchequer and impacting vital public services.
“Despite all those arguments, we think the interests of members of the public are better served where we have these types of powers,” says Dixon. “The GDPR loses some of its punch if one of the big deterrent mechanisms is not available to us to deploy in that way.
“In many cases they have a monopoly in terms of what they are entitled to collect from us.
“So, whatever about a two-tier, there is a possibility that we lose some of the force we will have with this expanded toolkit we have been given under the GDPR.”
For all the warnings, many of them justified, Dixon said that organisations should see GDPR as an opportunity to be embraced rather than a threat to be tamed.
“Those who demonstrate a true commitment to data protection will be rewarded in the marketplace for their services,” says Dixon.
Only time will tell.