Data protection presents ongoing challenges for Irish institutions Steven Roberts is head of marketing at Griffith College. He is a certified data protection officer and vice-chair of the ACOI’s data protection and information security working group.
T H E G e n e r a l D a t a P ro t e c t i o n Regulation (GDPR) recently marked its third anniversary. Since its introduction on 25th May 2018, data protection has been high on the agenda for education institutions across Ireland. A number of factors have contributed to this scenario. Media interest in the potential for very significant fines, up to 4% of turnover or €20 million, has undoubtedly played a part. High profile data breaches at firms such as Marriott and British Airways have also ensured that the general public is more conscious of how organisations obtain and process their personal data. Amongst EU member states, Ireland recorded the third highest n u m b e r o f d a t a b re a c h e s p e r 100,000 population during the period from 25th May 2018 to 27th J a n u a r y 2 0 2 1 . I re l a n d ’s D a t a Protection Commission (DPC), meanwhile, issued its first fines under GDPR last year, including penalties for Twitter, UCD, Tusla and the HSE. Against this backdrop, it is timely to consider some of the current and upcoming data protection challenges facing Irish institutions. Lack of clarity regarding fines A key challenge is the continued lack of clarity regarding the levying of fines. At present, there does not appear to be a consistent approach across EU member states. This makes it difficult for education institutions, their boards and executive teams to 10 Education
accurately assess the potential impact of a data breach, from the perspective of enterprise risk management. The DPC’s largest fine thus far was a €450,000 penalty imposed on Twitter in December 2020. In comparison, the Data Protection Authority of Hamburg fined clothing retailer H&M €35m, for GDPR violations involving the monitoring of employees. The French and Swedish supervisory authorities issued Google with GDPR fines of €50m and €7m respectively. It is to be hoped that more consistency emerges in the coming two to three years. Institutions should regularly review their risk registers in light of ongoing developments in this area, keeping a particular eye on the profile of fines issued by the DPC. Delays introducing a new ePrivacy Regulation Data protection and privacy are separate rights under the EU Charter of Fundamental Rights. Whilst GDPR focuses on protecting the personal data rights of EU citizens, the privacy and confidentiality of electronic communications is covered by another piece of legislation – the ePrivacy Directive. The EU originally planned to introduce a new ePrivacy Regulation (ePR) alongside the GDPR in May 2018. However, the former has become mired in lobbying and disagreement amongst EU member states. This creates issues for institutions and the broader business
Steven Roberts' new book Data Protection for Marketers: A Practical Guide, published by Orpen Press, is available at all good bookstores.
"Institutions should regularly review their risk registers in light of ongoing developments in this area, keeping a particular eye on the profile of fines issued by the DPC"
community. Firstly, the current Directive dates back to 2002. It is widely viewed as being no longer fit for purpose given the rapid developments in online communications and technologies over the past two decades. Secondly, it has led to confusion as to how it and the GDPR can be consistently applied. This is most clearly seen with regard to website cookies, an area covered by the ePrivacy Directive. Lawyers and compliance experts have struggled to identify how best to ensure that cookie consent meets GDPR standards – i.e. that consent is freely given, unambiguous, specific and informed. To provide clarity, supervisory authorities across the EU have issued their own guidance. Ireland’s Data Protection Commission published guidelines on cookies and other tracking technologies in April 2020 2, providing a six-month grace period in which to achieve compliance. Whilst this has proven helpful for Irish businesses, those with a footprint in more than one EU country must ensure they comply with local best practice in each jurisdiction. It is a far remove from the harmonized approach promised in May 2018. Fines for breaching ePrivacy laws can be very substantial. France’s supervisory authority fined Google
Get a 25% discount on the book from www.orpenpress.com when you use the promo code "data protection" at checkout.
