The GDPR Effect The phenomenon that is the General Data Protection Regulation (GDPR) has demonstrated one thing above all else: people's interest in and appetite for understanding and controlling use of their personal data is anything but a reflection of apathy and fatalism. While a series of Eurobarometer surveys in recent years have catalogued concerns on the part of the public about uses of their data, it is the rise in the number of complaints and queries to data protection authorities across the EU since 25 May 2018 that demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data. Pages 18 and 43 of this report details the significant increase in complaints and queries to the Irish DPC.
But the response of industry and the public and voluntary sectors has been just as strong: over 1,000 Data Protection Officers (DPOs) have been appointed by organisations across Ireland and have been notified to the DPC since May. These individuals will play key roles in embedding effective data protection practices in their organisations and driving real improvements in standards of data protection and security. Over 4,000 data breaches have been notified by organisations to the DPC and, while it would be an ideal world if there were fewer, the DPC's experience generally is that most organisations engage with the DPC and accept our guidance around mitigating losses for affected individuals, communicating any high risks to them and learning lessons from the breach to avoid a repeat. In some cases, organisations have provided us with statistical data on the number of access requests, requests for portability and erasure they have received, the systems they have set up to handle such requests, the Data Protection Impact Assessments they have conducted, the training they have instituted for all staff, and, importantly, the sponsorship their data protection programmes is now receiving from their 'C-Suite' executives. Different sectoral groups in Ireland have come together, whether through their DPOs or through representative bodies, to share learning with one another. And if we understand something about the GDPR, it is this: it will be a process of dialogue that lasts many years and the dialogue will need to shift and change with technology, context, learning from evidence (including emerging case law) and evolving societal norms. This will be the route to new context-based solutions and a real understanding of what 'better' looks like.