The five-minute CIO: Helen Dixon, Data Protection Commissioner

17 Feb 2017

Data Protection Commissioner Helen Dixon. Image: Connor McKenna

Data Protection Commissioner Helen Dixon talks about the impact GDPR will have on the business landscape.

“Every company now is a data company,” warned Data Protection Commissioner (DPC) Helen Dixon, as the EU’s new General Data Protection Regulation (GDPR) looms.

Dixon describes GDPR as a “game-changer” in how organisations and individuals will treat and value data. While companies have been warned about punitive fines, one aspect that is rarely mentioned is the potential for civil action by individuals that will come in the wake of GDPR.

Dixon is currently in the eye of the storm when it comes to data protection of EU citizens. Her office is engaged in a High Court case involving Austrian lawyer and activist Max Schrems, social media giant Facebook and the US government over standard contractual clauses (SCCs) and the transmission of EU citizens’ data from Europe to the US.

Since taking the office in 2014, Dixon has presided over a quadrupling of the DPC’s annual budget, the opening of a new office in Dublin and an increase in staff to more than 60 people, with plans to hire 30-35 more people in the coming year.

The necessity to expand the resources available to Ireland’s DPC is not only about protecting data in Irish business and Irish society. The reality is that the DPC has a Europe-wide brief because of the presence of so many of the world’s biggest internet companies on these shores.

What will GDPR mean for businesses, and consumers too?

We see the GDPR as heralding a new era in the regulation or processing of personal data. And by that, we mean that the GDPR is bringing in amplified and expanded rights for individuals to control their destiny in terms of the data that is collected and processed; and then, correspondingly, putting a whole range of obligations on organisations that collect and process personal data to ensure that they are meeting those rights.

On top of that, for data protection authorities such as the Irish DPC, it is giving us a whole enforcement focus. We are going to have a range of sanctions that we can impose on organisations that contravene data protection legislation, and we are also going to have the capability to impose very large administrative fines.

So really, the GDPR is about putting the individual much more in the driver seat now, and organisations are going to have to have to respect that individuals have a right to know and understand what personal data is being collected and processed, how long it is going to be retained and for what purpose it is being collected.

How are businesses performing in Ireland when it comes to respecting consumers’ privacy rights and also protecting themselves from data breaches?

We see that some sectors now that engage very strongly with us, for example, the insurance or banking sectors, now have very strong compliance and education programmes to try and augment the standards of compliance across their sectors. Of course, it is a moving target for them all the time.

But then in other areas, we see from the individual complaints we receive that organisations really still have not yet come to terms with the fact that individuals have very strong rights under existing data protection law.

So, for example, we see that 52pc of the complaints that the Irish DPC receives are still about access requests. Organisations are refusing to comply with an individual’s request to have a copy of their personal data.

We are seeing a lot of organisations still sending SMS messages or using individuals’ mobile phone numbers – that they have collected without their consent – to directly market them.

So actually on that, we are planning to run two big information campaigns at the start of March; one on access rights of individuals, and one on SMS direct marketing, and we are targeting those messages at both individuals and organisations.

Every day, new implications for data protection are emerging; from senior people in positions of power making fundamental mistakes to large companies being hacked. What needs to happen to ensure that everybody has respect for privacy in the future? Is education the answer?

First of all, I think education of the individual on what their rights are under data protection legislation, and under the charter of fundamental rights, is going to be a good starter. The Irish DPC hopes to play its role in that as we roll out our GDPR awareness campaign.

The second thing is for organisations to take up their obligations under the law and to implement strong programmes of awareness and training in their organisations.

Time and time again, we see big organisations that have good data governance programmes but they are only as strong as the weakest link of their frontline staff.

So really, ongoing staff awareness and frontline staff training are necessary.

The third thing I think that is going to engender a culture of compliance is the enforcement focus under the GDPR; the fact that administrative fines are going to be administered against organisations that contravene the law. Sanctions are going to be taken.

There is likely to be publicity around the sanctions that are administered and that is going to help drive a culture of awareness.

An interesting feature of the GDPR is also the fact that it increases the rights of data subjects, in terms of their ability to take civil actions against organisations that contravene their data protection rights, and obtain compensation from those organisations, so I really think we are going to see a big increase in terms of actions taken by individuals directly against organisations.

With many of the world’s global data companies present in Ireland, how do we cultivate a culture of data protection while ensuring this industry continues to grow and develop?

There is clearly a huge presence of tech and and internet multinationals here and, correspondingly, we have had to develop a huge expertise in regulating those types of entities, and social media companies.

Since I took office in 2014, we’ve had a quadrupling of the budget of the DPC. It is now more than €7.5m per annum.

We’ve been able to recruit large numbers of additional staff; we now have in excess of 60 staff at DPC.

We’ve opened a new office in Dublin, with more than 30 staff based here. In particular, from my point of view at deputy commissioner level, we have expanded our numbers to four. Recent new recruits that we’ve added on that team have been a litigation specialist lawyer and a technology consultant specialist.

So we have increased our senior management capability considerably.

We have also recruited and focused on recruiting into our multinational and technology team. We have brought in systems analysts, security analysts, security specialists and software developers, in order to deal with the quantities of cases that we now have that are technology-related.

We often talk about the fact that every company is now a technology company.

Every company now is a data company as well.

These types of skills are critical in terms of delivering on our role. We are about to start a recruitment campaign; in fact, it is already underway for 2017. We are going to recruit an additional 30-35 staff, and again we are confident that we can attract industry specialists who want to come and work at the regulatory authority, in cutting-edge cases we are dealing with at the intersection of technology and data protection law.

When it comes to new areas such as the internet of things and drones, what priorities will the office of the DPC be setting in the year ahead?

The more I study the GPDR, the more I see how clever it is.

I think the GPDR is going to allow us the ability to regulate all of those new technologies such as drones, internet of things and artificial intelligence.

Albeit, I think there is going to be a challenge for industry to come up with new ways itself to deliver on things such as the transparency and notice requirements to individuals, to decide what affirmative action that constitutes consent is going to look like under those new technologies.

So that, I think, is going to be a challenge for the industry, as well as the regulators.

We talked earlier about the fact that the GDPR is about putting the individual in the driver seat, allowing them control and ensuring that organisations respect their fundamental rights.

I think all of the industry providers in those new technology spaces should start out with that orientation towards what they are doing, then we can achieve compliance and achieve the benefits of technology for society and for economies, but also have as strong a protection as possible for the individual in terms of their rights.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years