Good morning ladies and gentlemen.
I am delighted to have the opportunity to speak to you here today for International Data Protection Day.
Go raibh míle maith agaibh le haghaidh an cuireadh agus tá fáilte roimh go léir.
To begin, let me thank Jim Gregg of the Irish Computer Society for the kind invitation to speak here today.
This is the third year that I have had the opportunity to address your conference and each year there is even more to talk about in the whole area of data protection.
As you know, 2016 was a very busy year for data protection: agreement was reached on the Privacy Shield mechanism for transatlantic transfers; the Court of Justice of the European Union issued a number of significant judgements and of course, we had the outcome of the vote in the UK.
2016 also saw the final approval of the General Data Protection Regulation following a number of years of negotiations across the Member States.
And so, today’s event is very fittingly titled ‘It’s here; what’s next?’
As you are aware I was first appointed as Minister for Data Protection in July 2014 – the first in the EU - and reappointed to this role in May last year.
And since my appointment just over two and a half years ago now, we have undertaken a very significant programme of work to develop and build on Ireland’s strengths in this area and to really establish Ireland as a global leader in the area of data protection.
In my work as Minister for the Digital Single Market and EU Affairs, I see on a daily basis just how important a trusted and robust data protection regime is in underpinning our objectives to grow the economy and improve the lives of European citizens. It is not just a nice to have – it is a central part of our infrastructure.
And it is encouraging to note that a recent survey of 200 executives undertaken by Forbes (on behalf of William Fry) late last year demonstrates the high regard in which Ireland’s data privacy regulatory regime is held internationally.
82% of those questioned rated the Irish data protection regulatory climate as ‘good to excellent.’
This is excellent news for Ireland and as the report states, is ‘a very strong indicator of a firm but fair regime that strikes the right balance between businesses and individuals.’
I would like to take this opportunity to restate Government’s continued commitment to building on this track record.
And ensuring that we are all fully prepared for the GDPR is a key part of delivering on this.
General Data Protection Regulation – General
I know you will be hearing about the detail of the Regulation from leading experts over the course of today, but I would like to take this opportunity to highlight some of the work that is underway to ensure that Irish based organisations, both public and private sector, are fully prepared for the GDPR.
We are all very much aware that the Regulation brings significant changes and challenges for us all. And the numbers attending here today clearly shows how proactive organisations are being in preparing for these changes.
And while we must by no means rest on our laurels, I have been quite heartened with the positive feedback I have received about Ireland and our preparations for the Regulation.
In particular, I met with EU Commissioner Jourova last October, whose brief includes data protection, as part of a programme of visits she is undertaking to member states to discuss preparations for the GDPR.
And while she was here, she also met with industry and trade bodies and she was struck by the quality of the discussions and the level of preparedness among Irish companies. Overall, the Commissioner was very positive about just how advanced Ireland is on this agenda.
I have also visited both the US and Germany in recent months in relation to my data protection brief and on both visits, there was positive commentary about just how proactive Ireland and Irish based organisations are being. And you as professionals and leaders in the field are driving this work.
I think it is particularly worth commenting on the cooperative approach being shown by business and the data protection professionals’ community.
Many of the trade bodies and large companies have offered to work with Government and the Commissioner’s Office to help spread the word, and to ensure that SMEs in particular are given support around preparing for the Regulation. I know from hearing the Data Protection Commissioner speak at a number of recent events that communicating the need to prepare for the GDPR is a key priority for the Office over the coming months.
By no means is this license for us to be complacent. There is significant work needed to ensure that we are all ready to meet the challenges of the GDPR. And no doubt on foot of the discussions over the course of yesterday and today, you will all certainly leave here well up to speed. I think we can take some comfort from the adage ‘tús maith, leath na hoibre’.
General Data Protection Regulation – Public Sector
In addition to its more general provisions, the Regulation brings a range of new obligations for the public sector, over and above those for private sector companies.
The public sector is one of the largest collectors and users of personal data in the country. And it is essential that citizens have full faith in how this data is used and secured.
That the public sector is a leader in applying the Regulation is a key part of achieving this. And so both the Data Protection Unit in the Department of the Taoiseach and senior officials in the Department of Justice are working with Government departments and their agencies to ensure that they are ready for 25 May 2018.
Much of this work is being done through the Inter-Departmental Committee on Data Issues, which I chair, and which is the key vehicle for these preparations and ensuring a consistent approach across the public sector.
We have are also engaging with the wider public sector. I was delighted that over 300 public body representatives attended a major event in December last, hosted by the Department of the Taoiseach in partnership with the Commissioner’s Office and the Department of Justice, to learn about how to prepare for the GDPR.
Work is also well advanced in preparing the relevant enacting legislation. As a Regulation, the GDPR has direct effect; but there are a number of areas where there is scope for Member States to act independently, including the much talked about ‘digital age of consent.’ The Department of Justice is leading on developing this legislation.
General Data Protection Regulation – Common Application
As those of you working in this area will know, a key issue for organisations, particularly those that operate across a number of Member States, is having a clear and a common understanding of what the GDPR means for us.
This desire for clear and consistent regulation is probably the clearest message that I’ve heard since taking up my post.
Despite what some may think, at no stage since my appointment have I heard calls for a lighter touch application of the rules.
Clarity and consistency are key to how we in Ireland, and by extension in Europe, position ourselves as attractive centres for development, innovation and investment.
And in this context, both the Departments of the Taoiseach and Justice, as well as the Commissioner’s Office are involved in a number of groups and projects to support consistency in how the GDPR is interpreted and applied across the EU.
When I met with her, Commissioner Jourova particularly commented on this work and the leadership role that Ireland is playing at EU level.
And you will have seen the recent work that the Article 29 Working Party is doing to develop guidelines on various aspects of the Regulation. They have asked for feedback on the current guidelines by the end of this month and I would encourage you all to feed into this process where possible.
The Government Data Forum, which I established in 2015 and which brings together experts from industry, civil society and academia and advises Government on all data-related matters, also has the GDPR on its agenda for all of its meetings.
Office of the Data Protection Commissioner
As the GDPR strengthens the rights of users and citizens while increasing obligations on data controllers, we see the Office of the Data Protection Commissioner taking on an ever increasingly important role.
Particularly so in the context of the One Stop Shop and the European Data Protection Board which will establish the Irish regulator as lead authority for companies with a main establishment in Ireland.
And Government is very aware that having a strong, well resourced and independent regulator is at the heart of having a credible and robust data protection regime.
One of my first priorities on taking up my role was to drive a programme of investment to enhance the resources of our Data Protection Commissioner, Helen Dixon, to ensure that her office is adequately resourced to deal with the additional workload that the GDPR will bring.
Since 2014, there has been a 4-fold increase in budget for the Office, as well as a more than doubling of staff numbers with further recruitment planned over this year.
This investment is about more than just numbers; it is enabling the Commissioner to recruit the kind of expertise and skills that are central to her Office in dealing with the evolving nature of digital technologies.
She has established a dedicated team to work with the major data-driven multinationals that have their European headquarters in Ireland. It is worth making the point that the Irish Commissioner is unique among her peers across the EU in having such an expert resource.
This ongoing increase in funding and staffing is complemented by the Commissioner’s new office on Fitzwilliam Square; which the Taoiseach will be formally opening later this morning.
And while these increases have been most welcome, we are not finished yet. We will continue to ensure that Ireland continues to have a modern, well-funded Data Protection Commissioner.
Data Summit
We are also working to increase awareness of data protection across society and to have the kinds of multi-faceted and sometimes challenging conversations that are needed about the role of data in our modern society.
In this context, we will be hosting the Data Summit on 15-16 June this year. This will be a major, two day international conference bringing together a range of experts to consider and highlight some of the issues arising from the ever expanding role of data in modern life.
It is hoped that the Summit will help to bring a greater balance to conversations about the use of data, and contribute to a better understanding of the role of data in modern society.
We will also use it to showcase good use examples of data across the public, private and not-for-profit sector.
The Summit will also give us the opportunity to focus on preparations for the GDPR, and we will be organising sessions on specific aspects of the Regulation.
We aim to attract key international speakers and we will be targeting a wide audience from across enterprise, the public sector, academia, civil society and the general public.
I hope that many of you will have the opportunity to attend.
Conclusion
2017 is my 4th calendar year in this position.
Each year has brought a new set of challenges in the area of data protection and as we look forward, it is certain 2017 will not be any different.
I firmly believe that Ireland is well-placed to deal with these challenges and you as data protection professionals are a key part of how we respond.
In closing, I would like to thank you for having me here today.
And I would encourage you all to make the most of the opportunities that this conference provides in terms of sharing information and best practice with your colleagues.
Finally, a happy Data Protection Day to you all!
Go raibh míle maith agaibh.
ENDS