Data Protection and GDPR in Ireland: Your FAQs AnsweredPosted in : Business Legal on Data Security on 2 May 2019
The following is an edited transcript from a recent Webinar held on the 2nd May 2019 in Dublin.
Scott: Hey, good morning, everybody. This is Scott Alexander from Legal Island. I am here with David Fagan, who is a solicitor and commercial lawyer and Director of Business Legal. We're live from BEO Solutions headquarters in Dublin, in Shaw Street. Many thanks to the expert investigators that are Bernadette Treanor and Olivia Hande for hosting the webinar today.
If you do have questions, put them in through the little message box. We may have time at the end to deal with them. If not, we will get back to you afterwards with some further information.
Impact of GDPR Breaches
Aside from a hefty fine, damage to your reputation, and the loss of trust in your organisation by the consumer, are there any other ramifications of a breach of the GDPR?
David: Well, there are several, and there are some criminal penalties in Ireland for some very specific breaches or offenses committed under the Data Protection Acts. There's the risk of civil litigation, which is now wider than it was previously. Previously, data subjects could sue for material damage when there was a material, physical, financial effect upon them. Now, they can sue for non-material damage, injury to feelings, etc. It still has to be provable, but it's a much easier prospect for data subjects.
There's also the possibility of key employees being disciplined, which can affect internally in an organisation, and to being dismissed. From memory, the general counsel in Uber, I think, left his position a while ago as a result partially of data privacy breaches. That's always a possibility if the breach is big enough.
Scott: Yes, the big ones really could be, there's civil litigation by employees or data subjects, whoever they might be, could be customers or whatever. But there's some big ones going on in GB at the minute. At Morrison’s Supermarkets, there was a rogue attempt and ended up putting information on employees' personal bank details and such like on the internet. And they're facing thousands of the employees suing them at the moment.
David: Yes, there they mean it. In Ireland, there's no such thing as a class action, so it's not as if you can wrap an umbrella around that overall liability and put a number on it, and it might be expensive, but tidy. Here it will be just waves and waves of litigation if there is something. If there was something on the scale of a Morrisons breach, you could expect thousands of litigants, each individually suing in the Circuit Court, which would just be an administrative nightmare for an organisation.
Fines for Breaches of the GDPR
Scott: In relation to fines under GDPR, is it possible for an organisation to be fined twice, so €10 million, say, for failing to notify the DPC — or the appropriate authority in the EU, it could be based elsewhere — and another €20 million, say, for a data breach itself?
David: Yes, there are obviously maximum fines. But the concept — can you be fined for each offense — well, obviously. If you commit one offense, it's possible to be fined for it. If you commit two offenses — or should I say, breaches rather than offenses — if you commit two breaches, then it's possible to be fined for both of those breaches to the level of either 10 million or 20 million, depending on what the breach is.
Scott: One of the big issues for employers was SAR, Subject Access Requests. And my understanding is that there could well be fines for withholding information that's requested under a SAR. Is there any indication of what that might be?
David: There isn't really. We're still in the infancy stage. As a general proposition, Ireland has been very gentle in its enforcement of data protection, and a lot of privacy professionals have said this. The DPC possibly would reject that, but as an objective fact, fines tend to be quite low. So my guess is that fines will initially be quite low. But because of the European Consistency Mechanism, where all of the regulators are meant effectively to coalesce around similar positions, you'd have to assume that in Ireland, fines will level up.
Scott: Yes. Certainly, it used to be zero. If you look at the UK, their fines were something around three-quarters of the maximum fine for a big offense. But those would be the kind of things that might affect maybe health records and very sensitive information would be the biggest ones, or where there were mass campaigns by phone companies and that kind of stuff, mass spamming. They would end up with the big fines.
But there must be fines of some kind. And I don't know what's going to happen in the Morrisons case, for instance. But if your bank details are sent all over the internet, then there's bound to be some kind of damage. And for those types of things as well as the fines, that we . . .
David: You know, there has to be.
David: Obviously, on the damage front, there will be a raft of litigation. On the administrative fines front, we haven't had administrative fines before as a concept. So this is a new concept in Ireland, but the fines are quite substantial. And then we have always had the possibility of criminal prosecution.
To take the Morrisons incident, that is an unauthorised processing by an unauthorised processor, to a degree. And certainly here, that is one of the limited number of breaches that actually constitute a criminal offense. So you could find criminal liability, which have terms up to five years. So again, obviously you can't jail a company, but you can certainly jail a director or a manager or a rogue processor.
Role of Data Protection Officers
Scott: Yes, well, he is in jail at the minute. But such is life. We're moving on to data protection officers, and that was one of the issues there that most people find it very difficult to get the experts. So aren't you lucky, folks, we've got David here?
Data Protection Officers (DPO) need to be independent. So what happens if the emphasis or an improvement or some kind of course of action and the controller, who's the one who effectively owns the data, the employer, and in most cases that we're talking about here today, what happens there if you've got a conflict, really, of what should happen, between the DPO and the controller?
David: Well, I suppose it's important for people to realise that the DPO is not head of data protection. Their role is not really to be the company person in that sense. They're more in a kind of an independent auditor role. So if the DPO objects to some processing or his or her advice is not taken, it's not that the company or the controller has to absolutely follow the DPO's advice. But they are to take the advice, which means at least take it on board, come to their view.
So certainly a DPO could not be routinely ignored, and then be considered to be fulfilling the role, of the controller to be fulfilling their role. Their advice doesn't absolutely have to be acted upon. When they are consulted about matters, that does not mean that they have a right of veto. But clearly, it's untenable if they are always ignored, which sometimes happens in organisations.
But then subsequently that DPO was replaced and another DPO was appointed who was a head of unit within the department. And that head of unit was actually designated as being the controller for all the departments' personal data. And the problem with that is that's not independent. It's expressly prohibited by the Article 29 Working Group, which is the forerunner of the European Data Protection Board. I kind of hesitate to call it an oversight body, but it's in that kind of space.
So we have a clear situation where the department appears to be ignoring European Data Protection Board governance, and in fact, questions were asked in the Dáil on that recently. And so that's a case of watch this space, because it seems to be a case of the department not perhaps either fully understanding or fully being committed to following the guidance of the European Protection Board.
Scott: We’ll find out clearly what happens in that case in future, but it kind of highlights the level of interest that you get here if there's a data breach. If it's going to government circles and it's in the Dáil and whatever, that they're looking at these things, because it affects so many constituents.
David: Yes. And reported in various national newspapers. It's not under the radar.
Scott: And it's not just costs and fines and civil litigation. It's all the reputational damage that goes with problems when there's a data breach.
David: Yes. Essentially, the independence of a data protection officer effectively goes to the element of control. You're not really meant to control an independent auditor-type function. That's not expressly stated, but that's what the role is. But it's the closest analogy to what the role is. It's not meant to be the head of, it's not really acting as head of data protection. It's more acting in a protection role for data subjects.
Scott: Again, going back to the poll that we've just done, a lot of listeners have difficulty getting the data protection officers in. Could you share your thoughts on proportionality? Can organisations, for instance, appoint an external DPO on a shared-service model, or might small public-sector bodies ask a private provider to offer a service on a shared-service model?
David: Well, I suppose the answer is yes and yes. In relation to the sharing of services, it's expressly provided for in Article 37.2, which says that a group of undertakings may appoint a single data protection officer, provided a data protection officer is easily accessible from each establishment. So essentially, as long as there is access to that DPO, then one DPO can manage a bunch of organisations — or manage is possibly the wrong word, but can operate for a bunch of organisations.
Now obviously, there's still the requirement for the independence role, so they couldn't be roles where there would be a conflict between those organisations affecting the DPO. But as long as they're non-conflicting, as long as the role wouldn't be conflicted in that way, the DPO can be across several different organisations.
Scott: And it's better that you have somebody that is actually qualified than lots of people who don't have any qualifications.
David: Absolutely. A DPO, for instance, can be an employee or it can be somebody who's not an employee or somebody external. But the key thing is the independence of the role. Even as an employee, they must be independent. And obviously, as an external provider, they should also be independent.
So there are a lot of advantages to having an external person perform the role for a smaller organisation because far better to have a proficient, competent, experienced, qualified DPO who's possibly doing data protection 20 years, than to shoehorn somebody into the role with some initial training, for what might be a part-time role where they're doing a bit as DPO but also doing their day job as well. It's not absolutely prohibited, but it's much better I think to have somebody who is experienced and competent and qualified, than to have a bit of a person. So I think for smaller organisations, that's the way to go.
Scott: Okay. And without marketing you too much, it's something that Business Legal could do.
David: Yes. We have DPO insurance, so we're insured as DPOs, and we can provide DPOs to organisations where their requirement is, I suppose, for a bit of a DPO. Now, we can provide a full-time resource as well, but typically the market is for where people, they don't have a full-time resource, but they still need the body.
Scott: So there are lot of people don't need a data protection officer or a DPO, but they do need somebody who does something to do with data protection and try and keep things on board, answer some of the questions, and so on. So is it better if you're not required under statute to have a DPO, to not call them that?
David: Yes, because if you represent yourself to be a DPO, you're essentially saying that you come within Article 37 of the GDPR. And that is certain, it's a defined role. Whereas if you're not that person, you're better off giving yourself a freedom. The organisation is better off, having the freedom to have their lead privacy person, privacy coordinator, whatever they call it, not constrained by Article 37.
And there is a big risk, huge risk, if somebody is not in fact the statutory or the DPO role under the GDPR. They're misleading the data subject. He has a comfort that this auditor-type person set out with defined role in the GDPR. But in fact, that's not the case. There's a certain element of misrepresentation or of data subjects being misled and taking false comfort in the fact that there's a DPO in the organisation.
Scott: Thank you very much, David. You're listening to David Fagan from Business Legal and Scott Alexander, I'm from Legal-Island. We're chatting away, all things to do with the GDPR. If you do have any questions, you can send them in to the little message box there. I don't know that we'll get through them today, but we'll certainly get back to you. They're all anonymous, by the way, if any come through. So don't worry, we're not going to read out any names.
Data Processors and Controllers
Moving on to data controllers and processors, data controllers own, if you like, the data they're responsible for. And a processor is a third party who does something on behalf of a controller. So data controllers can be held liable if there's a breach by the processor.
Scott: And usually it's an outsourced service. So how does a controller protect the business?
David: The controller can always be held liable because they're liable, essentially, for everything. The processor has certain liabilities, but they're not instead of, they're as well as the controller's liability. So the controller basically protects the business by doing due diligence and by having appropriate contract on the due diligence front.
Essentially, you wouldn't buy a business without doing some form of due diligence, looking at the numbers, looking at the compliance of the company, because you're buying in liability. You wouldn't buy a premises without having an engineer look at it and make sure that the title is looked at, you are getting what you're expecting, etc.
Similarly, in relation to purchasing the services of a processor, you want to look at their privacy policies. You want to know that they're compliant. You possibly want to know something about their client list and who do they generally act for. Have they got recommendations from people who you trust? Are they a very large organisation? There's a difference between an organisation you've never heard of that might be two people operating out of their basement, as opposed to, say, Microsoft or Amazon. Because it's a question of who are we contracting with and understanding what the risk envelope looks like because of that knowledge.
Separately, you're mandatorily required to have a contract with that processor under Article 28.3. And it sets out a number of common-sense stipulations. In fact, prior to GDPR coming in, all of those stipulations were recommended best practice. So to me as a privacy practitioner, I've been saying to people, put this in place, this type of contract in place, for years. All that GDPR has gone and done is codify best practice.
There are some still additional things that you might like in those contracts, maybe indemnities or warranties or dealing with a pricing issue. You don't want, for instance, to have a processor give you a price when you are being obliged to deal with the regulators, so the DPC. And then you go to your processor and say, "Well, look, how do I deal with this, and tell me about this information." And the processor says, "That's no problem and here's my fee for doing it."
You don't want to be arranging the pricing at the last minute. Get all of that sorted at the start with your ordinary comfort or your terms and conditions, with that provider and also your controller processor contract.
Scott: You'll also need to do things like to ask them to notify you straight away if there has been a breach if there are any. Of course, you're going to be held liable if you don't notify the DPC.
David: Yes. All of that should be contained in your controller processor agreement.
Scott: Okay. One of the issues that all of our listeners will have is that they will have health records on employees. Now, that's pretty super-sensitive data. What are your thoughts about protecting health records?
David: Firstly, they're a special-category data. So in terms of the processing of that data, there were certain limitations on how it may be processed. But just assuming that you are, particularly employee records, they have to be processed. It's usually not an issue.
My view is that special-category data should be kept separate, where possible. My view is it makes it easier to control — paper files — if the data is segregated to make it easier to work with. You obviously need to keep them under good control, both the physical paper files, if that's what we're talking about, and also electronically.
It's about authorisation. You don't let all of your staff see all of your information. Not every staff member has access to senior management salary records. It's just common sense. Likewise, not every staff member needs access to health records. Keep the authorisations contained so that there's a limited number of people who can access this data.
Then, of course, there's the IT side, where software can help with automated deletion. Segregating the data, again, in the same as you segregate a physical file so that your special-category data is a subset of either the employee's folder, whatever, to make it easier to delete the data and to find the data.
Scott: Manager training, because it's one of the issues here, is about safety and such like. If controllers face fines, do they really need to argue they went as far as they could by training everybody in data safety? And might fines be higher for those organisations who fail to train in data protection compliance or safety?
David: I suppose the thing to say here is that the best-run organisations can have a data breach. So there isn't a direct correlation between how much effort an organisation has put into their privacy arrangements and the outcomes. Obviously, one would expect, the more effort companies made, the safer they would be. But that doesn't preclude the possibility of an actual breach happening.
What the DPC — and they gave this advice in a conference they gave just immediately prior to the GDPR coming into force, the government organised a very large conference in the conference centre — and what Helen Dixon, the Commissioner, said was she understood that there will be breaches in the best-run of organisations. What they are looking for is organisational, systemic approach to data privacy.
So an organisation that has a systemic approach to privacy, has looked at the issues, have done data protection impact assessments, have assessed the security, have done training, have put in place an environment where data safety is paramount, can still have a breach.
But she could look at that breach and then look at the exact same breach in another organisation, which is kind of fly by night, hasn't really made much of an effort. The two breaches are exactly the same. The two breaches have similar effects, same number of data subjects affected, same type of data subjects affected, same type of data. Identical.
But one might get quite a substantial fine because they haven't or really made an effort. The other could have a very low fine or, as she said, even a zero fine, even for a serious breach, where it could not be credibly said that the organisation has not done its best.
So it's actually, it's a way of front-loading, I suppose, the cost or de-escalating the cost by putting the training in place. The question is, do you want to be investing your money in fire-fighting fashion after the fact or do you want to be investing your money pre-any issues occurring?
Scott: Yes, like prevention and cure type of — yes.
David: Prevention and cure.
Subject Access Requests (SAR)
Scott: Moving on to subject access requests, because that was another issue that came up in the poll there that was difficult.
How can organisations encourage data subjects to narrow down a subject data access request if they have a legal right — and subjects do — a legal right to receive all the personal data held by the controller?
David: First, there are two ways, really, of trying to reduce the difficulty of dealing with subject access requests. One is by asking nicely. Sometimes requests are looking for a particular type of information, and if you ask them, "Is there anything you would like us to prioritise in our search," sometimes that can get an answer. You can prioritise that and ask them is there anything else they require, and they might say no.
So that's one way of doing it. The other way, much more commonly done, is to use a form specific to the organisation. Every organisation is different. If you use a form that clearly sets out information that is going to assist you in finding this personal data, well, then it reduces your difficulty.
Your form might have specific reference numbers, it might ask which division of the business they're interacting with, which products this is in relation to, which services in relation to, relevant dates, etc. So by the time the data subject has filled out the form, you've actually narrowed the search by virtue of themselves narrowing the search as they go through the form. And that's a very easy way of doing it.
You'll also notice a lot of high-tech, data-rich companies automate their processes, where the data is already available in automated form. So actually, when the data subject is going through that form and ticking boxes and drop-downs, etc., what that's actually doing is effectively performing the search and getting the data.
Scott: You’re just creating the fields.
David: It's automating the process, which makes it even easier.
Scott: Okay. And I think we're running out of time, so one last question before we finish up. I'm sorry we couldn't get to the ones that came through in the chat box, but we will take them on board and try and get back to you.
What are the top three things employers could do to minimise the risk of hacking? You've already indicated there's going to be a breach at some stage. We're all liable to, it's going to happen. What are the three best things we could maybe do?
David: I would break it into simply headlines. Essentially, security is in relation of organisational measures. The training of your staff, the authorisations of access, the systems you put in place in terms of your policies, all of that is an organisational measure. Then there are technological solutions, appropriate software and finding out what the issues are and firewalls and so on and so forth.
And the last one then is the thing that's often forgotten, which is that privacy is not just about IT. It can involve physical systems that are as simple as locks on doors, locks on filing cabinets, shields on PCs so they can't be seen from people the other side of the street, and so on so forth.
So big picture, it's about the organisation of the employees, the systems in place, and the technology in place.
Scott: Okay, thank you very much to David Fagan from Business Legal. Legal Island’s GDPR One Year On: Key Developments in Data Protection for Employers in Ireland conference is taking place on Thursday 6th June 2019 at the Crowne Plaza Hotel, Blanchardstown, Dublin.
Note: David Fagan produced an excellent Data Protection and Security video series (with accompanying transcriptions) last year. It's well worth a watch - and feel free to share the link(s) with colleagues and friends who would benefit from watching.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.