Minister Denis Naughten addresses DataSec Conference in the RDS
Good morning ladies and gentlemen. I am very pleased to be here this morning to open DataSec.
I’d like to pay tribute to Helen Dixon and her team on the excellent work she is doing in preparing Ireland for the new General Data Protection Regulation. Government is very aware that having a strong, well-resourced and independent regulator is at the heart of having a credible and robust data protection regime.
I know you are exceptionally busy Helen. You described 2016 as an ‘Olympic year in the data-protection sphere’ so it is testament to your efforts in preparing the country for the new data regulation.
The numbers and calibre of those attending here today clearly shows too how proactive organisations are in preparing for these changes.
In 386 days the new General Data Protection Regulation will come into effect.
The Regulation – known as GDPR - affects every company and employer - not just the large IT and social media companies. If you have employees - even a handful - then you hold and process employee personal data and therefore you must learn about the GDPR.
In short the changes will give people more control over their personal data and make it easier to access it.
All consent must be explicit, granular, unbundled, documented and can be withdrawn – essentially no more tick boxes.
It offers citizens a right to be forgotten and the right to know when one’s data has been hacked.
These are hugely significant changes and I know you will be hearing about them in greater detail from Helen and other experts in this field over the course of today.
Therefore I do not propose to go into the minutiae of the Regulation this morning but at Government level we are very much aware that the Regulation brings significant changes and challenges.
My colleague Dara Murphy was appointed Minister for European Affairs and Data Protection in July 2014 – the first such Minister in the EU to hold a data protection portfolio. Since then and since his reappointment a year ago he has undertaken a very significant programme of work to develop and build on Ireland’s strengths in this area and to really establish Ireland as a global leader in data protection. Extra resources have been secured by Minister Murphy to ensure the country is ready.
Many of the trade bodies and large companies, some of you are here today, are working with Government and the Commissioner’s Office to ensure that SMEs in particular are given support around preparing for the Regulation.
The Regulation also brings a range of new obligations for the public sector, over and above those for private sector companies.
The public sector is one of the largest collectors and users of personal data in the country so it is essential that citizens have full faith in how this data is used and secured. I am very conscious of this as someone who has had medical details stolen on a laptop in the past.
The Data Protection Unit in the Department of the Taoiseach and senior officials in the Department of Justice are working closely with Government departments and their agencies to ensure the public sector is ready for the 25th May 2018 deadline.
In this context the Government will be hosting an international two day Data Summit in June this year to bring together a range of experts to consider and highlight some of the issues - similar to today’s event. I know some of you will be attending this Data Summit.
An area of the GDPR that I have direct Ministerial responsibility for is the ePrivacy Regulation which is scheduled to come into force on the same day as the GDPR. This is a big ask. It repeals the 2002 ePrivacy Directive to make it fit for the online age. It aims to strike a balance between consumers in terms of their online data rights and business’ capacity to innovate and be profitable in the digital space. A high wire act. There is a need to protect citizens but in a practical way.
A key difference between the GDPR and ePrivacy is that ePrivacy pertains to both personal and non-personal data, whereas GDPR focuses only on personal data.
Another key difference is that the GDPR took four years to work through, whereas ePrivacy is expected to take just one year.
I believe the proposed timeline is ambitious. Ireland is not alone among EU Member States in voicing these concerns. Regulation should be evidence based and warranted.
I want to see a measured and careful approach to negotiations as this is a cornerstone file with potentially wide ranging implications. It will fundamentally change how business is done on the internet.
Such a dynamic shift in the modus operandi should not be rushed, but should be considered. We expect the bulk of negotiations to take place under the Estonian Presidency in the second half of the year.
Ireland hosts the European Headquarters of many companies – both large and small - which will be directly affected by this type of legislation.
We are mindful of the issues of both the extent of regulatory burden and the need to avoid stifling innovation and we are listening to the concerns of business. The outcome must be both future-proof and sensible.
We are also examining alternative solutions to the problems identified by the European Commission. At the same time, we strongly believe in protecting end users and consumers. To that end we would caution against any watering down of the standards already set in the GDPR.
A recent survey in the UK found that 70% of employees have not been told anything about the GDPR yet which brings me to the matter of Brexit.
The detail of how the UK’s data protection regime will relate to the EU is unclear at this stage however the UK’s Information Commissioner, Elizabeth Denham has said and I quote "I don't think Brexit should mean Brexit when it comes to standards of data protection."
The White Paper on Brexit published in February identifies data protection as a key aspect of its negotiations. The UK has stated its intention to ensure that there is stability in the transfer of personal data between the UK and the EU post-Brexit.
This would most likely involve the Commission taking an Adequacy Decision which would allow data to flow freely between the EU and the UK, provided the UK has ‘essentially equivalent’ standards of data protection.
These commitments will apply to all companies selling into the EU, whether they have an establishment in the EU or otherwise.
A key social, economic and political priority for me is Broadband and the delivery of high speed broadband to every city, town, village and individual premises in Ireland under the National Broadband Plan. This Plan will play an integral role revitalizing businesses and communities across provincial towns in rural Ireland.
Last month I signed a significant agreement with Eir that means one house every minute of every working day is now getting fibre to the door high speed broadband.
When I took office this time last year only 52% of premises in Ireland had access to High Speed Broadband. With this agreement 77% of premises will have access to high speed broadband within the next 86 weeks - that’s an additional 300,000 premises. There will be no let up on this momentum.
Today I want to report that the first quarter target of passing 40,000 homes has been surpassed - 41,000 homes have been passed and verified.
I firmly believe that Ireland is well-placed to deal with the challenges ahead of the Regulation deadline and you as data protection professionals are a key part of how we respond.
In closing, I would like to thank you for inviting me here today and I wish you a very successful and productive conference.