Last week MoneyConf firmly put Dublin in the Fintech spotlight. The pressure on financial services firms to make better use of technology to reduce costs and improve customer service shows no sign of relenting. At the same time they need to carefully navigate the related regulatory challenges around technology outsourcing. A member of the ECB Supervisory Board recently observed that banks are not “technological houses” and said that the fragmentation of banks’ services across a range of external providers creates a “challenge” for banks’ leaders, who retain responsibility. This statement will resonate, in particular, with financial institutions looking to understand how much they are currently using, and how they can make more and better use of, cloud based technology solutions.
The Data Protection Commission (DPC) has revamped its website and published online forms to help organisations comply with their new obligations under the GDPR.
The website contains a new Data Protection Officer (DPO) Notification Form, which must be completed by organisations to inform the DPC of their DPO’s contact details. The GDPR requires the appointment of a DPO in the following circumstances: (i) where the processing is carried out by public bodies or authorities; (ii) where an organisation’s core activities consist of large-scale regular and systematic monitoring of data subjects; and (iii) where an organisation’s core activities involve large-scale processing of special categories of data (i.e. sensitive data) or personal data relating to criminal convictions and offences. A DPO may also be appointed on a voluntary basis. However, organisations should be aware that a DPO designated on a voluntary basis will be subject to the same obligations and tasks under the GDPR as if the designation had been mandatory.
Ireland succeeded in enacting the Data Protection Act 2018 prior to today’s GDPR deadline, with the President signing the Act into law yesterday. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework. This briefing note analyses the key provisions under the Act and its likely impact on businesses operating from Ireland.
The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data. In light of the new accountability principle in the GDPR requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records.
The position paper makes it clear that all organisations, without exception, must maintain a record of processing in regard for human resources (HR) data, as such processing is carried out regularly, and cannot be considered “occasional“. Accordingly, all organisations must ensure they can present records relating to HR data to their supervisory authority post-May 2018, if requested. This will entail keeping a record of the types of HR data processed, the categories of data subjects (i.e. employees, ex-employees, candidates, consultants), the purposes of the processing, the recipients of such data (e.g. any third party service providers), the data retention periods for each type of HR data processed, details of any non-EEA transfers of HR data, and the security measures in place to protect such data.
On 26 March 2018 , the US Department of Commerce (DOC) published an update on action it has taken to support the EU-US and Swiss-US Privacy Shield frameworks. It highlights the oversight and enforcement measures taken in regard to the commercial and national security aspects of the Shield Frameworks.
The Data Protection Commissioner (DPC) has published her Annual Report for 2017, which discusses the key activities and challenges of her office last year, as well as her priorities for the coming year. The DPC spent much of 2017 raising awareness of the GDPR. She continued to engage with organisations in regard to their data protection law compliance, carrying out over 200 consultations and 100 face-to-face meetings in which preparation for the GDPR was a constant feature. The DPC dealt with a record number of complaints (2,642), most of which were resolved amicably. She was also busy on the litigation front, particularly in regard to court proceedings concerning the validity of the EU Standard Contractual clauses as a legal mechanism to transfer personal data out of the EEA.
As a follow-up on its Communication of September 2017 on tackling illegal online content, the European Commission has published a non-binding “Recommendation” which formally lays down operational measures which online platforms and Member States should take, before it determines whether it is necessary to propose legislation to complement the existing regulatory framework. The Recommendation applies to all forms of illegal content which are not in compliance with EU or Member State law, such as terrorist content, racist or xenophobic illegal hate speech, child sexual exploitation, illegal commercial practices, breaches of intellectual property rights and unsafe products. The Recommendation puts pressure on online platforms to implement more proactive measures to ensure faster detection and removal of illegal content online. It has been criticised by digital human rights organisations as essentially forcing online platforms to “voluntarily” police and censor the internet, without respect for the fundamental right to freedom of expression.
Last October 2017, the Government published the General Scheme of the Communications (Retention of Data) Bill 2017 (the Bill). The draft Bill was published in response to Chief Justice Murray’s Report, which reviewed the law concerning the retention of and access to communications data held by communications service providers, and recent decisions of the EU Court of Justice (CJEU) in the Digital Rights Ireland and Tele2 cases. Having engaged with stakeholders to hear their views on the draft Bill, the Oireachtas Joint Committee on Justice and Equality has now published its Report on pre-legislative scrutiny of the Bill.
Speaking at A&L Goodbody’s breakfast seminar, ‘GDPR – The Last Lap‘, Anna Morgan, Deputy Data Protection Commissioner, has warned that companies who ‘over-report’ and adopt an overly conservative approach to the GDPR’s breach notification requirements may risk enforcement action from the Data Protection Commission (DPC).
Following on from Davinia’s post last week, we have now prepared an update that covers the key aspects of the Data Protection Bill 2018 of most relevance to businesses that are in the process of preparing for the GDPR.