DPC Launches GDPR Consultation

Author:Mr Philip Nolan and Jevan Neilan
Profession:Mason Hayes & Curran

On 16 March 2017, the Irish Data Protection Commissioner ("DPC") announced a public consultation on certain aspects of the EU General Data Protection Regulation ("GDPR"). This consultation focuses on certain topics identified by the Article 29 Working Party ("Working Party") in its 2017 action plan. These are consent, profiling, data breach notification and certification.

The DPC's aim is to capture the views of stakeholders on these four topics, and provide those views to the Working Party. The overall goal is that these insights will inform the Working Party's discussions in advance of finalising its guidance on the interpretation and application of these key provisions of the GDPR. The consultation is open until 31 March 2017.

  1.  Consent

Under the GDPR, consent will continue to be a lawful basis upon which to process personal data. However, obtaining consent in accordance with the GDPR is likely to pose a greater challenge. In particular, consent will have to be given by a "clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement". Silence, pre-ticked boxes or inactivity will be inadequate.

The DPC has sought input on issues including:

how this consent should be interpreted and implemented in practice; how organisations can demonstrate that consent has been validly obtained; and the practical implications for organisations where consent is withdrawn. 2. Profiling

'Profiling' is a new concept introduced by the GDPR. It takes place when the automated processing of personal data is used to evaluate certain personal aspects relating to an individual. According to the GPDR, profiling also includes the monitoring of individuals and the subsequent use of data processing techniques in order to take decisions regarding those individuals or to predict their behaviours or preferences.

In particular, the GDPR aims to avoid individuals being subject to a decision based solely on automated processing, including profiling, "which produces legal effects concerning him or her or similarly significantly affects him or her." For example, the automatic refusal of an online credit application or e-recruiting practices without any human intervention.

The DPC has sought input on issues including:

how existing profiling activities will be impacted by the GDPR; what limits should be applied to profiling; and how an individual should be able to contest a decision made as a result of...

To continue reading