Ahead of GDPR, Ireland’s Data Protection Commissioner, Helen Dixon, warns of the realities of living in a data-driven world.
There is a digital revolution that is driving changes to our politics, economies and societies at an unprecedented pace, well beyond that of previous global industrial revolutions. It is a revolution that has brought with it a myriad of new challenges, including cyberbullying, revenge porn, fake news, online radicalisation and global cyber systems exploited by hackers.
On the other hand, we can all think of the benefits that new technologies have given us. Apart from the real impact that technology has had on the ways in which we communicate, its impact has also been felt in such diverse fields as the identification of genetic cancer markers, better understanding of climate change, combatting hospital infections, and the improvement to quality of life for people living with disability.
‘It is generally impossible to live in today’s world without generating a digital footprint and being subject to some form of tracking’
As a data protection authority, we are responsible for supervising how all types of public and private sector organisations collect and process ‘personal data’.
Personal data is information about you – your name, phone number, email address, purchasing records, health records – anything specific to you as an individual. Of all the problems of the internet era, maintaining control over our digital identity and controlling how we are tracked and monitored are amongst our most fundamental issues.
Context is king
Social media has led to a loss of nuance in debate. Individuals increasingly cast themselves on extreme sides of an argument: pro-remain versus pro-leave, pro-left versus pro-right, pro-technology versus pro-privacy. In the world of data protection, the reality is almost never just black or white, innovation or privacy. Context is king.
Think of genetic testing. In appropriate clinical settings with regulated professionals and ethics committees, genetic testing is a good thing where it leads, for example, to identification of markers for breast cancer. In these appropriate settings, ethical decisions can be made on what information patients should receive, whether other family members should be notified where they could be affected, or whether DNA samples should be destroyed.
On the other hand, think of commercial firms offering ‘child talent genetic testing’ – a test that purports to give you a firm idea of your child’s ‘strengths and weaknesses’. Many websites fail to outline the privacy implications of these tests: what data is collected, how it will be used, if it will be sold, how will it be stored.
So, we cannot say categorically that genetic testing is a positive use of personal data and does not violate data protection laws. Again, context is everything. Data protection authorities don’t make policy choices and don’t ‘like’ or ‘dislike’ any technologies; what we do require is that any organisation or public body processing personal data be able to justify the legitimacy and necessity of that processing, and demonstrate their compliance. Our role is to ensure that appropriate data privacy analysis is always conducted.
Context counts for all of us individually in our privacy choices. Our relationship with how we manage our identity has changed seismically in recent years, in ways we are only beginning to understand. It is generally impossible to live in today’s world without generating a digital footprint and being subject to some form of tracking, so we must each identify our own points of compromise and decide what trade-offs of personal data for services we are willing to make.
In May next year, the EU’s General Data Protection Regulation (GDPR) will come into force, allowing all of us to better understand our personal data choices. It is going to transform our relationship with digital service providers of all types. While the new law is based on existing data protection principles, its real strength lies in new accountability and transparency requirements for organisations, which will drive significant changes in behaviour.
Having to know your organisation’s personal data processing operations and its legal basis is going to be revolutionary, as will the need to incorporate privacy by design and default into all future planning. The new notice requirements to users should ensure the end of obscure privacy notices buried in small print. Adding real weight to these requirements will be the increased powers of sanction that the GDPR gives to data protection authorities, including administrative fines of up to €20m, or 4pc of total worldwide annual turnover.
The Irish Data Protection Commission has been preparing for the last two years. Our budget has quadrupled since 2014, we have close to trebled our staffing numbers to 70, and will have about 100 people at the end of this year. We’ve ramped up our outreach programmes considerably, most recently with the launch of a new microsite called GDPRandYou.ie to drive awareness and preparation for the GDPR.
The pace of digital change is only going to accelerate. While the GDPR recognises the potential of innovative technology, it demands that this is done in a responsible way, allowing each of us to control our identities and our personal data. It won’t solve all of the issues our internet world is throwing up but, overall, it is going to make the world a better place. At the Irish data protection authority, we are ready to play our part.
By Helen Dixon
Helen Dixon was appointed Data Protection Commissioner for Ireland in September 2014. She had previously held the role of Irish registrar of companies from November 2009. Prior to that, she held senior civil service roles in the Department of Jobs, Enterprise and Innovation, in the areas of economic migration policy; and science, technology and innovation policy. She spent the first 10 years of her career in the IT industry, working for two US multinationals with EMEA bases in Dublin.