The Data Protection Commission (DPC) is accepting feedback on its Draft Regulatory Strategy for 2021–2026 until 30 June 2021. We have set out the key highlights of the Strategy below.
The DPC’s strategic goals are to: (i) regulate consistently and effectively; (ii) safeguard individuals and promote data protection awareness; (iii) prioritise the protection of children and other vulnerable groups; (iv) bring clarity to stakeholders; and (v) support organisations and drive compliance.
(i) Regulate consistently and effectively
The GDPR is a principles-based law, which enables it to expand and accommodate future developments in the uses of personal data.
The DPC states that this does mean that the legislation must undergo critical evaluation every time it is applied to specific contexts or technologies, and recognises that there is a need to increase certainty and stability in how data protection law is applied. Stakeholder feedback shows that there is a need for greater transparency about how the DPC carries out its regulatory functions and for such information to be made available in a comprehensible manner. To achieve this outcome, the DPC proposes a number of actions, including:
- clarifying the limits of legislation and setting expectations for stakeholders, including how and when corrective measures are imposed;
- improving guidance to promote a deeper understanding of data protection law;
- standardising and publishing procedures for complaint handling and inquiries;
- increasing transparency and provision of information on the DPC’s outreach activities and engagement with stakeholders;
- more frequent publication of case studies illustrating how data protection law is applied, how non-compliance is identified and how corrective measures are imposed;
- seeking clarification and consistency on procedures under the One-Stop-Shop mechanism and international cooperation, and
- working closely with the European Data Protection Board to develop legal certainty for international transfers of personal data.
(ii) Safeguard Individuals and promote data protection awareness
In the two years between May 2018 and May 2020, the DPC received in excess of 80,000 contacts to its office, on foot of which it opened 15,025 cases on behalf of individuals. The majority of these cases concerned just one individual and centred on issues that have no major or lasting impact on individual’s rights. The DPC would prefer to prioritise cases that are likely to have the greatest systemic impact for the widest number of people over the longer-term, and to allocate its investigative resources on that basis. To achieve this outcome , the DPC proposes a number of actions, including:
- identifying trends and themes within individual complaints so that the DPC can achieve strong collective outcomes;
- engage with civil society bodies on areas of concern for individuals;
- prioritising the allocation of DPC resources to cases that have higher systemic impact on large numbers of people, and
- working with peer DPAs to introduce consolidated and consistent enforcement across Europe, which would harmonise enforcement approaches and agree the criteria for regulatory success.
(iii) Prioritise the protection of children and other vulnerable groups
In the case of children, stakeholder feedback shows that uninformed choices around data sharing may have direct consequences in later life, and warrants targeted and age appropriate education for minors so that they can grow up aware of their rights and appreciate the importance of controlling their own personal information. To achieve this outcome , the DPC proposes actions such as:
- providing ready-to-use education materials and raising awareness of children’s data protection rights, aimed at children, their teachers, their parents and guardians;
- actively promoting the development of codes of conduct on the processing of children’s personal data, and
- clarifying the bases for data sharing, so that individuals are not disadvantaged or at risk as a consequence of over caution on the part of data controllers.
(iv) Bring clarity to stakeholders
The GDPR advocates a risk-based approach to data protection, in order to deliver improved results for data subjects in a timelier manner. On this basis the DPC may, in the future, adopt a collective approach to investigating systemic issues, rather than run multiple investigations into individual complaints about the same matter. Recognising that most businesses and organisations are keen to meet their obligations under the GDPR – but sometimes lack clarity about how those obligations are best operationalised – the DPC will support data controllers in their compliance efforts, so that current and future undertakings have clear guidance on incorporating data protection in their business practices. To achieve this outcome , the DPC proposes a number of actions, including:
- regulating in a fair, impartial and transparent manner;
- applying corrective powers proportionately – including fines, where appropriate – to produce changed behaviours and an improved culture of data protection compliance, and
- regularly communicating with organisations on investigation procedures and final outcomes.
(v) Support organisations and drive compliance
The so-called ‘hard enforcement’ options and sanctions are tools at the disposal of the regulator, but they are not the limit of the regulatory role. The DPC states that extensive engagement is not indicative of an unwillingness to regulate, but rather a recognition that investing time and effort into developing a culture of compliance will ultimately drive data protection efficacy. The DPC advocates a risk-based approach to sanctions, and will prioritise prosecution, sanction and/or fining those infractions that result from wilful, negligent or criminal intent. In order to achieve this outcome, the DPC proposes a number of actions, including:
- pursuing effective regulatory actions which makes use of the full suite of corrective measures, appropriately applied, to regulate effectively in a rapidly evolving sector;
- regulating in a fair, impartial and transparent manner;
- applying corrective powers proportionately to produce changed behaviours and an improved culture of data protection compliance;
- promoting a cultural shift towards compliance by extensive engagement with stakeholders, so that data protection rights are upheld as a matter of normal business practice, and
- regularly reviewing and communicating its supervision and enforcement priorities.
Responses to the Draft Strategy can be emailed to the Commission at dpcstrategy@dataprotection.ie or sent by post to the DPC’s offices at Fitzwilliam Square.