Mr. Cathal Ryan:

I will add to that, as it might be of assistance to the Chairman. Under the current law on data protection such as, for example, security purposes, it is up to the data controller to choose the level of security that is appropriate to the data he or she is processing. Among the factors to be included are the resources that can be used to protect data. A lot of it is subjective. Organisations need to consider the resources they have to protect data. They must also consider the nature of the data they collect. Certain data will involve no detriment for an individual if left on top of a car and found, whereas other pieces would. Organisations may need proper security measures to protect certain sensitive data rather than for general data that involve no detriment for an individual. What we are trying to achieve in the office is to have a pragmatic common-sense approach. A recent Latvian case contained a preliminary reference to the European Court of Justice and the Advocate General, in its opinion which is not legally binding, started to discuss the common-sense approach to data protection. There is a recognition at European level and in our office of the application of a common-sense approach and understanding the resources the data controller has available in order to meet his or her obligations under the Data Protection Acts and the GDPR when the system goes live in May 2018.