Interim Statement of Strategy 2017-2018
Foreword by the Commissioner
Ms. Helen Dixon
Data Protection Commissioner
I am delighted to present the Irish Data Protection Commissioner’s Strategy Statement for the period 2017 to end 2018. This Statement outlines our key objectives as we continue to transition from our current regulatory environment to the new EU data protection regime, which comes into effect in May 2018.
This Strategy Statement was prepared for publication on the eve of what we believe will be a historical turning point in the regulation of data protection in Europe; the enactment on May 25th 2018 of the EU’s General Data Protection Regulation (GDPR). The GDPR heralds the move to a regime of accountability on the part of all organisations, consequentially backed up by strong regulatory enforcement.
This new regime represents a significant departure for the DPC as a regulator. We will acquire significant new powers and duties, work in closer cooperation with our EU counterparts under the new cooperation and consistency mechanisms and the European Data Protection Board provided for in the GDPR, and we will expand in resources and re-structure to implement the procedures necessary to underpin our enhanced role as an enforcer.
For the remainder of 2017 and 2018, we will continue our focus on strategic organisational change and restructuring, as well as focussing significant efforts externally towards the facilitation of preparations by all organisations in Ireland to take up their new obligations under the GDPR. Our organisational capacity has steadily grown in recent years with the re-establishment of a Dublin office, the tripling of our staffing resources from 29 staff in 2014 to 96 by the end of 2017, with projected staffing levels expected to reach 140 in 2018. This transformational change would not have been possible without significant government investment in the DPC, the continuation of which is essential to ensuring that we can carry out our functions as a well-funded, independent and internationally respected data protection regulator.
I look forward to working closely with current and future colleagues, stakeholders and my EU counterparts in delivering on the objectives of this Strategy and continuing to uphold the EU fundamental rights to data protection and privacy.
Data Protection Commissioner
The Data Protection Commissioner (DPC) is the national independent authority in Ireland with responsibility for upholding the fundamental right of the individual to have their personal data protected. The statutory powers, duties and functions of the DPC are as established under the Data Protection Acts 1988 and 2003, which transposed the Council of Europe Convention 108 and the 1995 Data Protection Directive.
As the lead regulator for many large data-rich multinational companies, including technology internet and social media companies operating in the European Union (EU), the DPC plays a central role in safeguarding the data protection rights of many millions of individuals across the EU. The increasing pace of innovation of the services provided by these companies drives much of our work and activities.
Using our statutory powers, the DPC undertakes investigations of complaints from individuals, and identifies risks to personal data protection in a variety of public and private sector organisations through consultations with organisations processing personal data, and through on-site inspections and audits, amongst other activities. The DPC also seeks to drive better compliance with data protection legislation through the publication of high-quality guidance, proactive engagement with public and private sector organisations and ultimately enforcement action where necessary.
The new EU Data Protection Framework
A new EU data protection legal framework, replacing the existing 1995 Data Protection Directive with a modernised code more reflective of the evolving technological climate, comes into effect across the EU on 25 May 2018. The new framework comprises the General Data Protection Regulation (GDPR) and a Directive (2016/680) concerning personal data processing in a law enforcement context (Law Enforcement Directive).
The GDPR enhances the data protection rights of individuals, giving them greater control over how their personal data is collected and processed by organisations. The Regulation also increases very significantly the obligations on organisations that process personal data, requiring greater levels of accountability and transparency in respect of their data processing operations. Significantly, the territorial scope of the GDPR also extends to organisations based outside of the EU in circumstances where they monitor the behaviour (i.e. gather personal data) on individuals within the EU, or provide goods and services to individuals in the EU. The GDPR also confers much wider powers and obligations on EU Member State data protection authorities (DPAs) which will become “supervisory authorities” under the new regime. The GDPR provides for a harmonious approach to the interpretation and implementation of the new legal framework by supervisory authorities through various cooperation and consistency mechanisms. The DPC will assume the role of a “lead supervisory authority” under the GDPR in respect of many of the technology, internet and social media companies which have their European headquarters in Ireland.
In addition, the European Commission has published a proposed new Regulation on Privacy and Electronic Communications (ePrivacy Regulation). The draft ePrivacy Regulation proposes further additional and significant changes to the law, aimed at enhancing the security and confidentiality of individuals’ online activities, including email and internet based instant messaging. As provided for in the draft ePrivacy Regulation, the independent national supervisory authorities responsible for monitoring and enforcing the application of the GDPR will also be responsible for enforcing the rules under the new ePrivacy Regulation. In the Irish context, some of these regulatory functions are currently the responsibility of ComReg.
This Statement of Strategy covers the period 2017 to 2018. The DPC’s Strategy will be reviewed in late 2018 following the coming into effect of the GDPR. Building on the DPC’s early learnings and experience of regulating under the new legal framework during the initial months after it coming into effect, a longer-term strategy for the period 2019 to 2021 will be prepared.
Protecting data privacy rights by driving compliance through guidance, supervision and enforcement.
The DPC will be a fully fit-for-purpose independent, internationally respected and trusted supervisor and enforcer of EU data protection law.
We will at all times demonstrate professionalism, competence and expertise in performing out our enhanced role under the GDPR as a lead supervisory authority for many of the world’s largest technology, internet and social media companies as well as the supervisory authority for Irish domestic companies and organisations, both public and private sector. Where necessary and proportionate and in accordance with Irish and EU law, we will apply sanctions (such as administrative fines) against any company or organisation which has infringed the law. As required by the laws of the new data protection legal framework, we will handle complaints from individuals who believe their data protection rights have been infringed and investigate such complaints to the extent appropriate.
The skills profile of our staff, our structure and size, processes, our procedures and our budget will reflect our expanded domestic and international functions and responsibilities.
The DPC will progressively build stronger international collaborative relationships with DPAs and consumer regulators across the globe. We will work in cooperation with all EU DPAs, as required under the new legal framework, and fully participate in the implementation of a harmonised data protection regime throughout the EU.
We are committed to demonstrating the following values in performing our functions and fulfilling our responsibilities and in all of our interactions with individuals, organisations, statutory and regulatory bodies and other stakeholders:
Our Strategic Objectives
1 Build the capacity and capabilities of the DPC to reflect our enhanced role under the new GDPR, Law Enforcement Directive and ePrivacy Regulation regime
Together the GDPR, Law Enforcement Directive and proposed ePrivacy Regulation represent a fundamental overhaul of the EU’s data protection and communications privacy laws. For the DPC, the new regime will mean unprecedented organisational change, increasing very significantly our supervisory role and tasks and our engagement with our fellow EU DPAs. The DPC will transition from a legislative environment in which the DPC enjoys exclusive competency, to one which provides for a harmonised approach to the application of data protection rights and obligations across the EU.
In preparation for regulating under the new regime. We have initiated a root and branch review of our organisation to ensure that we have the optimal organisational structure, processes and procedures, resources and ICT Systems to enable us to perform our regulatory functions expertly, competently and professionally. We formalised this process via a GDPR Readiness Programme that has included an analysis of the gaps in our capacity that need to be filled over the next year and an analysis of the risks to our readiness by May 2018. This work builds on the significant progress achieved in recent years in building our organisational capacity.
By the end of 2017, our staff resources will have tripled from what they were in 2014, reaching almost 100. Specialists in technology, law, investigations and communications are joining our team. The provision of significant additional government funding through 2018 and beyond will be essential to enabling the DPC to fulfil our regulatory obligations and meet the high standards expected of us as one of the world’s leading data protection authorities, and to safeguard and enhance our reputation, in particular at EU and international levels.
We will continue to augment the DPC’s capacity and capabilities as part of the the evolution of our expanded supervisory role under the new regime, through the following priority actions:
1.1 Engage proactively with Government to ensure (a) that the underpinning national legislation which is required to give effect to certain aspects of the GDPR and transpose the Law Enforcement Directive, provides us with the regulatory powers required to carry out our functions and (b) that we have the required financial and other resources, including staff and appropriate accommodation, to enable us to do our job effectively and efficiently.
1.2 Conclude work on redeveloping our structures, processes and systems (including our ICT capabilities) to ensure our continued effectiveness under the new data protection regime.
1.3 Enhance our expertise and capacity through the training, development and upskilling of staff, and the targeted recruitment of staff with specialist skills.
2 Close collaboration and partnership with EU and international DPA counterparts, and regulatory bodies in other sectors
The new EU data protection legal framework heralds a new and welcome era in cooperation between EU DPAs. The DPC will become the lead supervisory authority for a large number of the world’s leading technology, internet and social media companies with their European headquarters established in Ireland. In performing this vitally important role we will be cooperating closely with both other EU DPAs to ensure the consistent application of the new data protection regime, as well as with international DPAs outside the EU to share knowledge and regulatory experience.
We will achieve our objective of close collaboration and cooperation with our EU and international counterparts by:
2.1 Engaging proactively and contributing at EU level through the Article 29 Working Party (comprising the EU’s DPAs) to the development of a harmonised interpretation of the new laws, preparation of GDPR guidance, and the evolution of the EU procedural framework for the new laws, in advance of 25 May 2018.
2.2 Participating effectively and constructively in the new European Data Protection Board (EDPB), with the objective of contributing to the proper and consistent implementation of the new laws and development of common positions and responses to pan-EU data privacy developments.
2.3 Developing strong and effective relationships with other EU counterparts and regulatory bodies, including through the European Data Protection Supervisor’s Digital Clearing House Initiative bringing together Competition, Consumer, and Data Protection Regulators.
2.4 Continuing to foster close relationships with International DPAs through forums such as the Global Privacy Enforcement Network and the International Conference of Data Protection Commissioners.
2.5 Promoting bilateral cooperation and information sharing by hosting delegations from EU and International Data Protection Authorities and authorising their participation in DPC audits and inspections.
3 Drive better data protection awareness and compliance through strategic consultation
Our consultation and guidance activities are central to driving organisations’ compliance with their data protection awareness by helping them to better understand their obligations under the law. By engaging with organisations and sectoral groups and providing guidance that assists them in being compliant in their data processing practices we are achieving better results for data subjects leading to fewer incidences of systemic bad practices and serious infringements of the law.
We will continue to be proactive in engaging strategically with organisations in areas of greatest risk to drive enhanced awareness and compliance. In addition, we have and will continue to run consultation processes around key themes of the GDPR (such as consent, profiling, transparency) in order to consider the input of stakeholders in the preparation of guidance at national and EU level. Further, we have engaged in a range of meetings with large sectoral representative bodies in order to understand the specific guidance needs of those sectors.
We will also continue to provide expert guidance and assistance to government policy makers and legislators so that future laws and policies are compliant with data protection requirements from the outset.
We will achieve our objective of better data protection awareness and compliance through the following priority actions:
3.1 Proactively targeting and engaging with public and private sector organisations, particularly in areas of highest risk and large-scale systemic data processing.
3.2 Providing clear, high quality and timely guidance to data controllers and processors, including by maximising the use of social media and online communication channels.
3.3 Delivering a high volume outreach programme to national, EU and international stakeholders as keynote speakers at conferences and participation in panel and workshop events.
4 Effective Oversight and Enforcement
The GDPR greatly strengthens the investigative and corrective tools at our disposal, including for the first time the power to impose administrative fines up to a maximum of €20 million or 4% of global annual turnover.
Where necessary we will fully utilise our increased corrective powers and impose sanctions in a lawful, proportionate and fair manner against any organisation found to be in contravention of the law. We will use our investigative and enforcement powers to target serious and high-risk areas of non-compliance, and to deter organisations from ignoring or overlooking systemic bad practices or failing to respect the EU fundamental right to data protection.
We will also use our resources to efficiently and effectively handle complaints from individuals who believe their data protection rights have been contravened and to investigate complaints to the extent appropriate.
We will determine the proportionate and effective use of our enforcement powers through the following priority actions:
4.1 Pursuing regulatory action, including the imposition of sanctions, in a lawful, fair, proportionate and effective manner, which accords with the harmonised EU approach, with the overall objective of driving better compliance and accountability by organisations in upholding their obligations to data subjects.
4.2 Engaging effectively with stakeholders, our EU counterparts and other regulatory bodies to identify key areas of bad practice and serious non-compliance, which may require enforcement measures.
4.3 Driving better improved compliance with data protection obligations through investigations and audits targeting high-risk and large-scale processing of personal data.
Delivering the Strategy
The additional annual budget resources which have been allocated to the DPC in recent years has provided the means for the DPC to build our capacity and capability in preparation for regulating under the new data protection regime. This additional funding has facilitated the recruitment of additional staff, including legal, technical, audit, communications and investigations specialists as well as policy and administrative staff.
Our current 2017 budget allocation of €7.52 million will continue to be invested in additional staff resources, the redevelopment of our structures, processes and systems, and the development, upskilling and training of our staff in preparation for the coming into effect of the GDPR, Law Enforcement Directive and ePrivacy Regulation.
By the end of 2017 we will have reached almost 100 staff in size. However, carrying out all the broad range of investigative, regulatory, authorisation and advisory tasks and functions required under the new data protection regime to the high standards and efficiencies expected by industry (in particular the multinational sector), counterpart EU and international regulators and other stakeholders will necessitate the continuing growth of our organisation, potentially requiring it to more than double in size again in the period following 25 May 2018.
Additional government funding during the period of 2018 and beyond, will be crucial to the DPC fulfilling the broad scope of its regulatory remit and meeting the standards and efficiencies expected of the DPC, commensurate with our globally prominent supervisory role.
We will communicate clearly and effectively, and in a timely fashion, with our stakeholders in relation to our activities, strategies and positions using the most appropriate and efficient communications methods, including, via our website, our helpline services, by use of social media tools or through direct engagement. We will continue to raise awareness of data protection rights and obligations and the promotion of compliant practices, including by publishing clear and concise guidance and engaging proactively with our stakeholders.
This Strategy Statement is a high-level document reflecting the key objectives and priority actions currently identified for the DPC for the period 2017 to 2018. These objectives and priority actions are not exhaustive and will be added to and amended as necessary during the lifetime of the Strategy Statement.
The priority actions and detailed key deliverables which underpin the achievement of our strategic objectives are set out in the annual DPC Priorities Plan. The delivery of our objectives are supported by the organisation’s divisional business plans and the individual goals of staff members. Progress in implementing our strategic objectives and priority actions is monitored on an ongoing basis by our Senior Management Committee, and individual Heads of Units.
Accountability and Transparency
While the DPC is an independent body, our governance and administrative oversight processes and arrangements are aligned with the governance requirements applicable to public sector bodies. Our relationship with the Department of Justice and Equality (DoJE), through which we are funded and by which we are administratively accountable to the Oireachtas, is governed by a Corporate Governance Assurance Agreement agreed between the DPC and the DoJE.
In accordance with Section 14 of the Data Protection Acts 1988 and 2003, each year the DPC makes a report to the Minister for Justice and Equality on the performance of the functions and activities of the organisation during the preceding year. The DPC’s Annual Report is also laid before the Houses of the Oireachtas. Further external financial and accounting oversight and governance is observed through the yearly submission of the DPC’s financial accounts to the Comptroller and Auditor General.
The DPC is also partially subject to the Freedom of Information Act 2014 in relation to records relating to the general administration of the office, and specifically those created after 21 April 2008. Details of our FOI Publication Scheme can be found at www.dataprotection.ie.
 Deriving from Article 8 of the Charter of Fundamental Rights of the European Union
 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA