[00:13.030 --> 00:17.430]  May 26th, what are your priorities with enforcement?
[00:20.890 --> 00:22.810]  Everybody write this down.
[00:23.630 --> 00:31.570]  I've been talking on a couple of panels this week and quite appropriately been asked that question on each occasion.
[00:31.570 --> 00:38.430]  So we're always going to have the reactive priority of responding to complaints lodged.
[00:38.430 --> 00:54.690]  As you know, the General Data Protection Regulation retains this requirement, around which I think there is a little bit of tension vis-à-vis our role as supervisors, but it retains this requirement that we handle every complaint lodged.
[00:54.690 --> 01:09.270]  So every one of the 320 million data subjects in the EU that might have an issue relating to Facebook or Google can lodge a complaint with the Irish Data Protection Authority and we're obliged to handle each complaint.
[01:09.270 --> 01:22.070]  And actually sections 104 onwards of the Irish Data Protection Bill that are published set out very detailed requirements as a data protection authority in terms of responding to those data subjects.
[01:22.290 --> 01:29.210]  So we will always have to be reactive in terms of handling the complaints lodged.
[01:29.450 --> 01:39.790]  And that's why it's another reason why it's critically important for organisations to get right from the 25th of May the handling of data subject rights.
[01:39.790 --> 01:56.550]  Failure to deliver on the rights of access, which already comprise over 50% of the complaints my office deals with each year, failure to comply with rights to portability, rights to objection, rights to restricted processing, they attract the higher fines,
[01:56.550 --> 02:07.170]  but they're also what's going to lead data protection authorities quickest to your door, because we will start seeing complaints lodged with us in relation to those data subject rights.
[02:07.170 --> 02:15.030]  So our first priority will be to be responsive to the risks and trends we identify in handling every complaint lodged.
[02:15.030 --> 02:28.130]  Then, of course, we have the new provisions in the GDPR that now make mandatory in the EU the reporting of breaches that pose risks to data subjects within 72 hours of organisations becoming aware of the breach.
[02:28.130 --> 02:50.750]  So this is going to open up the doors, it may open up the floodgates to us in terms of giving us as data protection authorities visibility of a whole range of abuses and failure to secure personal data that heretofore we've simply been unaware of because there hasn't been a requirement to make a report to the data protection authority.
[02:50.750 --> 03:06.230]  And as you know, the provisions around notification to data protection authorities, I keep forgetting to call them supervisory authorities, they also require entities to notify individuals where there are high risks to their rights and freedoms.
[03:06.290 --> 03:23.210]  So this is going to open up further establishment of reactive priorities on our part once we start to see what's coming in and what industry sectors potentially are particularly implicated or what types of issues we're starting to see.
[03:23.210 --> 03:32.490]  And then, of course, we're going to have, I believe, the ongoing trend of whistleblowers and media reporting that's going to direct us towards reactive priorities.
[03:32.490 --> 03:51.910]  But in terms of proactive enforcement priorities, to the extent that we will have any resources left, and I hope we do because it's important to us to get to setting the agenda as well in terms of how we enforce, we have already publicly announced that transparency is going to be a key enforcement priority for the office.
[03:51.910 --> 04:05.090]  And we're starting with transparency because we think it's key in terms of this whole idea of empowering data subjects and giving them the control that the GDPR aims to give back to data subjects.
[04:05.090 --> 04:15.670]  In addition, the exercise of any rights by a data subject flow in the first instance from them having a clear knowledge of when their data was collected, who has collected it.
[04:15.810 --> 04:20.810]  The exercise of rights simply can't happen if there hasn't been transparency.
[04:20.970 --> 04:26.490]  And also, transparency hits across this whole issue of legal basis as well.
[04:26.490 --> 04:38.030]  For years, we've all been listening and debating the issue of, but is consent real in circumstances of signing up to internet company free services or in lots of other contexts.
[04:38.030 --> 04:53.370]  We debate whether consent is real, not so much because of the issue of whether it's freely given, which is important and called out in the GDPR, but really around the issue of whether it's well informed.
[04:53.370 --> 05:06.850]  And we've always had the worry that it's not well informed, that privacy notices, as they've evolved in legalese, are far too opaque to data subjects.
[05:06.850 --> 05:11.630]  And Article 29 has issued guidelines on transparency.
[05:11.950 --> 05:19.490]  There's been some pushback from industry in relation to parts of it, and we can talk at length about all of that.
[05:19.490 --> 05:39.230]  But one of the areas that I suppose I've been surprised industry has pushed back on in relation to the transparency guidelines is the assertion that where possible, it should be avoided in transparency notices to users to use phrases like, we may use your personal data to improve our products.
[05:39.230 --> 05:41.450]  Does anyone know what that means?
[05:41.450 --> 05:48.490]  Does anyone know that that might mean the services scanning your private messages and the recipients to and from?
[05:49.230 --> 05:54.530]  In other contexts, where a bank writes it in a privacy notice, what does it mean?
[05:54.530 --> 06:00.070]  Are they looking at what I've been purchasing with my credit card and where I travelled?
[06:00.210 --> 06:05.010]  So we think those phrases should be avoided where possible.
[06:05.010 --> 06:24.510]  We accept there may be scenarios where it's not possible to avoid them, and if that is the case, then examples of how personal data in the past was used to improve products should be given to the user so that they understand what the limits around that concept of using personal data to improve products is.
[06:24.510 --> 06:30.690]  So, sorry, I've gone on a bit, but enforcement priority will be around transparency.