Informatica Ireland, DAMA and ISACA partnered to bring you an excellent evening of networking and discussion, which featured a world class panel including:
John Keyes, Assistant Commissioner, Data Protection Commission
Laura Bowmer, Head of Customer Engagement, Aston Martin
Joe Madigan, Head of Customer Data and Retail Analytics Bank of Ireland
Kate Colleary, Founder of Frontier Privacy and IAPP Country Leader for Ireland
The event focussed on what has happened since GDPR go-live and how this brave new world has impacted data management.
The panel had a lively discussion on the key challenges and opportunities we face under the new regulation, and what we can expect next.
2. The Informatica Difference:
100% Focus on Everything Data
Versatile
Cloud.
On-premises.
Big Data.
Best-in-
Class
customer
success
services
Modular
and integrated
Intelligent Data
Platform
Broadest
ecosystem
support
Global
partner and
developer
network
Leader
in Enterprise
Cloud Data
Management
Proven Track
Record for over
25
Years
3. GDPR Update
Go-live + 3 weeks
John Keyes LLB, BL
Assistant Commissioner - Investigations
Data Protection Commission
Data Management Association
Windmill Lane, Dublin 2 – 21st June 2018
4. You must have a legal basis under
Article 6(1) GDPR to process personal data
❑ Consent
❑ Contractual necessity
❑ Legal obligation
❑ Performance of a task in the public interest
❑ Legitimate interest of the data controller
(balanced against the rights and freedoms of the
individual)
5. Consent under GDPR
(Article 4 “Definitions”)
’Consent’ of the data subject
means any freely given, specific,
informed and unambiguous
indication of the data subject’s
wishes by which he or she, by a
statement or by a clear
affirmative action, signifies
agreement to the processing of
personal data relating to him or
her
6. Personal data breach notification
o Evaluate risk to rights and freedoms of
individuals (not risk to the organisation)
o Differentiate between ‘risk’ and ‘high
risk’ (Recital 75)
o Make appropriate breach report to
Supervisory Authority (72 hours) and/or
affected data subjects (‘without undue
delay’)
7. GDPR Breach Reports (to 20/06/2018)
o Notifications to date - 434
o Average weekly - 145
o Average weekly 2017 – 54
o Average weekly increase - 169%
8. Transparency - Article 12
Communication of processing
information to the data subject;
“in a concise, transparent,
intelligible and easily accessible
form, using clear and plain
language, in particular for any
information addressed
specifically to a child”
9. Privacy Notice
▪ Many new GDPR Privacy Notices observed to
date do not meet criteria
▪ Continued use of ‘legalese’ language
▪ Neither ‘concise’ nor ‘intelligible’
10. Access Rights
(50% of all complaints to DPC)
❑ Understand the scope of
personal data
❑ Engage with data subject early
❑ Narrow scope of request if
possible
❑ Explain exemptions clearly
❑ Avoid unnecessary confrontation
11. GDPR Complaints and Enquiries to date
❑ GDPR complaints received (from 25/05/2018 to 20/06/2018) – 61
❑ Legacy complaints received (from 25/05/2018 to 20/06/2018) - 165
❑ Average weekly – 75
❑ Average weekly 2017 – 51
❑ Average weekly increase – 47%
❑ No access request complaints accepted to date
❑ Issues include consent, erasure, rectification, CCTV, electronic marketing, transparency,
cookies, unfair processing, security of data, disclosure etc
12. DPC Investigations
• GDPR
Article 57: Each supervisory authority shall on its territory….
(f) handle complaints lodged by a data subject…..and investigate,
to the extent appropriate, the subject matter of the complaint
• Data Protection Act 2018 - Section 108(2)
Where the Commission is the competent supervisory authority in respect of a complaint,
it shall—
(a) handle the complaint in accordance with this Part, and
(b) inform the complainant, within 3 months from the date on which the complaint is
received by the Commission, on the progress or outcome of the complaint.
13. Data Protection Act 2018 – Section 109(5)
a) rejection of the complaint;
b) dismissal of the complaint;
c) provision to the complainant of advice in relation to the subject matter of the complaint;
d) serving on the controller or processor concerned of an enforcement notice
e) causing of such inquiry as the Commission thinks fit to be conducted in respect of the
complaint;
f) taking of such other action in respect of the complaint as the Commission considers
appropriate.
15. Panel Discussion
John Keyes
Data Protection Commission
Laura Bowmer
Aston Martin
Kate Colleary
Frontier Privacy
Joseph Madigan
Bank of Ireland
16. Has there been a fundamental change in data
management in your enterprise in the last 12 months?
#LifeWithGDPR2018
No change
Lots of talk but no real action
We understand and are
working on what we need to do
Oh Yeah! Things are changing
around here
Data is now a strategic asset
and everyone gets it
17. Do you have or believe you should have a CDO in your
enterprise?
#LifeWithGDPR2018
Nope, we have the bare
minimum and will survive
Yes, someone became DP and
is now regarded as the CDO
We are rolling out a Data
Strategy run by a proper CDO
We have had a CDO for some
time and they are effective
Our CDO reports directly to the
CEO and DATA is a key element
of our future
18. Does your organization regard Data as fundamental to
its success?
#LifeWithGDPR2018
Not really, it exists and that’s
about it
All the attention has raised its
profile and importance
Slowly, all major decisions now
have a data influence
Data is now seen as a means
creating of opportunity
We are now a Data focused
enterprise and our success
depends on it
19. Has GDPR been a positive or negative influence for
creating business opportunity in your organisation?
#LifeWithGDPR2018
Regulation is a constant pain
and GDPR is another heartache
We’re just getting on with it
and don’t know yet
We are taking it seriously and
reaction has been positive
Execs regard Data as a positive
asset to be protected
GDPR is changing culturally and
operationally how engage with
all our stakeholders
20. Is your organization currently investing in AI, Machine
Learning, IoT or Robotics?
#LifeWithGDPR2018
We’re just beginning to
understand the basics
It’s been mentioned but
nothing in production yet
We have an Innovation Lab and
they’re all over this
We get the concepts and are
developing real products
This is our future, we are
actively carving a niche in one
or all of these spaces