Ms Helen Dixon:

I thank Deputy MacNeill for her question. It is very much acknowledged that the burden placed on individual data subjects to understand their rights and to know how to exercise them is considerable. There is a whole body of academics now who say the very central concept of the GDPR of giving the data subject back control such as control to exercise rights and control to decide whether they consent actually results in putting an unsustainable burden on them. That is, nonetheless, the central purpose of the law. Aside from the Data Protection Commission publishing more and more guidance on how individuals can exercise their rights, I believe the much more important thing we can do is to guide controllers to be compliant and transparent, and as helpful as possible to the public in explaining how data are processed. We see time and again that poor communication leads to a lot of the issues between controllers and data subjects.

It is also important to mention the new role under the GDPR of the data protection officer that must be appointed by public sector bodies and which many private sector organisations are also obliged to appoint. The DPO officer's role, or that of the office, is to act as an important link between members of the public, the individual and the organisation, and to make all of this simpler. The DPO helps the person to exercise his or her rights. A big focus and a priority for the Data Protection Commission is to support this new role of DPO and to teach DPOs how they can be more effective in supporting individuals.