A Five Year Plan for Data Protection in Ireland

The Data Protection Commission (“DPC”) has published its Draft Regulatory Strategy for 2021-2026 (the “Draft Strategy”), setting out its views on the next “five crucial years” in data protection. At the third anniversary of its implementation, GDPR is part of a new and expanding body of privacy legislation along with the Law Enforcement Directive and E-Privacy Directive. Despite a growing body of guidance documentation, regulatory decisions and case law, there is much that remains to be seen in this new privacy era.

The Draft Strategy is positioned against this backdrop and against the ambiguities of interpretation and application of any new legislation. Public awareness and scrutiny has never been higher. In the two years between May 2018 and May 2020, the DPC received over 80,000 contacts to its office, and opened 15,025 cases on behalf of individuals.

With the Draft Strategy, the DPC is looking to give direction to its broad regulatory remit, while at the same time taking account of the needs of data subjects and organisations. It sets out five strategic goals for the DPC with an aim of “doing more, for more”:

1. Regulate consistently and effectively
2. Safeguard Individuals and promote data protection awareness
3. Prioritise the protection of children and other vulnerable groups
   
4. Bring clarity to stakeholders
   
5. Support organisations and drive compliance

To achieve these goals, the DPC proposes a number of specific steps it will take. These include:

• Clarifying the limits of legislation and setting expectations for stakeholders, including how and when corrective measures are imposed;
  
• Prioritising the allocation of DPC resources to cases that have higher systemic impact on large numbers of people;
  
• Clarifying the bases for data sharing, so that individuals are not disadvantaged or at risk as a consequence of over caution on the part of data controllers;
  
• Applying corrective powers proportionately – including fines, where appropriate – to produce changed behaviours and an improved culture of data protection compliance
  
• Publishing detailed case studies of decisions in an accessible format so that controllers have a frame of reference when planning new undertakings.
  

This draft of the Regulatory Strategy is published for the purpose of consultation with stakeholders, who are invited to make submissions to the DPC by 30 June 2021.

For further information or advice, please contact Seán O'Donnell and John Anthony Devlin or any member of the ByrneWallace LLP Data Protection/GDPR team.