EU Regulator Discusses Enforcement Priorities for the GDPR
On March 27, 2018, Helen Dixon, the data protection commissioner for Ireland, outlined the enforcement priorities of the Irish data protection authority (DPA) for the General Data Protection Regulation (GDPR) during the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C. The Irish DPA has been ramping up its compliance capabilities for the GDPR and will undoubtedly serve as the lead DPA for GDPR enforcement for numerous U.S. companies that are headquartered or have locations in Ireland.
Dixon recognized that many organizations will struggle to fully comply with the GDPR by the May 25, 2018, effective date but confirmed that the Irish DPA will begin to enforce the GDPR on that day and that there will be no grace period for companies that fail to comply. Additionally, Dixon stated that the Irish DPA will focus its enforcement efforts on resolving complaints filed with it as the GDPR requires DPAs to investigate all complaints. Dixon shared that, in 2017, the Irish DPA handled approximately 2,600 complaints. Over half of those complaints involved data subject access requests, and a majority of complaints involving data subject access requests were filed by employees who complained that their employers failed to adequately comply with their data access requests.
Further, Dixon emphasized the importance of transparency and accountability under the GDPR. Thus, the Irish DPA will scrutinize privacy policies and notices to ensure that data subjects are fully informed about how and why their personal data is being processed. Additionally, the Irish DPA will review organizations’ data protection governance documents to determine whether the organizations have made a commitment to data protection or have merely “ticked the boxes” to demonstrate minimal compliance with the GDPR.
Finally, Dixon stated that the Irish DPA takes seriously its duty under the GDPR to raise awareness about the GDPR and will allocate significant resources to providing guidance and advice to organizations about the GDPR, in addition to carrying out its obligations to enforce the GDPR.
Key Takeaways for Employers
Although employers are required to be fully compliant with the GDPR by May 25, 2018, they may want to prioritize and concentrate their efforts on high risk compliance areas. With less than 60 days until May 25, 2018, and based on Dixon’s comments, employers may want to take the following actions:
- Prepare compliant privacy notices for applicants and employees
- Develop effective data subject access request protocols to properly and timely respond to such requests and reduce the likelihood of employee complaints to DPAs
- Prepare comprehensive data-handling policies and procedures that assign specific roles and responsibilities to individuals and provide meaningful consequences for noncompliance (Such documentation should include the Article 30 record of processing, which demonstrates that the employer has thought through the purpose, legal basis, and retention periods for processing personal data as well as the organizational and technical measures needed to protect the data.)