The Irish Data Protection Commission (DPC) has yet to complete a major IT overhaul that it once suggesting would be critical to effective GDPR enforcement.
The DPC is one of the most important data protection regulators across Europe and plays a critical role in cross-border GDPR enforcement given that many of the world’s biggest tech companies are headquartered in Ireland.
However, the Irish Council for Civil Liberties (ICCL) has revealed, through freedom of information (FOI) requests, that a critical overhaul to its digital case management system has been delayed for years.
Although implementing a new system was proposed as far back as 2016, the regulator has yet to complete works on overhauling the “outdated” Lotus Notes technology. Five years on, the ICCL has learned that the regulator has missed its own deadlines year after year while incurring costs amounting to €1 million.
This planned system is needed in order to manage caseloads, workflow and reporting, and would be used to manage the complete case lifecycle. This platform would also connect to virtually every aspect of DPC staff’s work, including email and calendars.
This is arguably once one of the reasons why the DPC has been unable to process many cases from the dozens of major investigations it has undertaken since GDPR came into force. Progress in cases against Twitter and WhatsApp have been made in recent months, but the regulator still has dozens of cases against the biggest tech firms to churn through.
"The GDPR gives Ireland a central role in protecting data rights across the entire European Union, monitoring how Google, Facebook, and others use our data. But the DPC is not configured for its digital mission,” said senior fellow at the ICCL, Dr Johnny Ryan.
“What we have discovered indicates that it cannot run critically important internal technology projects. How can it be expected to monitor what the world’s biggest tech firms do with our data? This raises serious questions not only for the DPC, but for the Irish Government. We have alerted the Irish Government of the strategic economic risk from failing to enforce the GDPR”.
The DPC claimed in its 2017 annual report that moving to a new IT system was “required for the DPC to effectively rollout [GDPR],” and that it would “enhance how the DPC manages queries, complaints and investigations”.
ICCL claims the DPC first aimed to complete the overhaul in 2017, but the system was not developed. Data Protection Commissioner Helen Dixon then said the system was a key goal for 2018 - the year GDPR came into force.
After issuing a request for tender in December 2017, the DPC waited until July 2018 to sign a “statement of work” with a contractor. Internal documents show the DPC pencilled in a new launch date of October 2018 - and decided to overhaul only the most essential aspects of the new system to make sure it could meet this deadline. This deadline passed again
The DPC’s ‘strategy statement’ for 2019 mentioned that a new IT system would again be a priority for that year, although minutes from a February 2019 meeting show that procurement had not yet begun for essential components. Staff training was also yet to begin. The organisation was also concerned about spiralling costs.
Then, in July 2019, the DPC began procuring the infrastructure to host the new system, with an expected completion date of March 2020. This date passed too, and the DPC commissioned a ‘design review’ of the planned system with a focus on its security.
Then, in October 2020, when the 2021 Budget allocations from the Irish government were announced, Dixon said additional funding would allow it continue with key strategic projects, “such as the completion of a new case management system”.
HCI 2.0 from HPE: Powering through to innovation
This second-generation HCI delivers a more simple and efficient experience
A spokesperson from the Irish DPC told IT Pro that the regulator has a “functional and fit-for-purpose” case management system, that’s been optimised with new features over the last year years. This system, however, is limited, they added, because it’s based on Lotus Notes technology, and is limited with how it can be integrated with the DPC website, web forms, and the shared platform between EU data regulators.
“Significant work in specifying the system and building its core modules has been completed. Some delays in delivery have occurred because of updates to specification of security and infrastructure elements,” the spokesperson continued.
“Some other elements have on demand from the DPC been slowed in order to allow for the resolution between EU DPAs of final intended processes such as those involved in the Article 60 cooperation and consistency mechanism under the GDPR.
The EU, almost three years after it had intended to, has not yet adopted its new e-Privacy legislation, moreover. The DPC claims that this delay means it’s yet to understand how the procedural and operational aspects of the GDPR will operate in fine detail.
The spokesperson added, nonetheless, that “progress continues” on the system investment, and that the core modules of the new system will be rolled out in the spring of 2021.
