Helen Dixon said she expects to take up data protection role again next year

Ms Dixon stepped down as a commissioner with ComReg, the telecommunications regulator, on February 28 after one year. She had previously done two five-year terms as Data Protection Commissioner, being one of the most powerful data regulators in the EU due to so many tech and social-media companies having their European headquarters in Dublin.

“I stepped down because I’ve been 18 years in regulatory roles, and I felt the need to take a new perspective on some of the challenges,” she told the Privacy in Practice podcast.

“But because of the senior public-sector rules in Ireland, I’m essentially in a cooling-off period for 12 months under our Standards in Public Office (Sipo). [It’s] that prevention of revolving-door type phenomenon.

“So in the first 12 months after I finish up, to take up any contract or employment I would need to go through a series of approvals and consents. I have opted, for the purposes of taking up any work in the area of data protection or digital regulation, not to go through that process because, I think appropriately, the restrictions that would be applied to me in this early period would simply be considerable.”

The former DPC commissioner said she had applied for clearance to join the board of Repak, the environmental company, as an independent non-executive director. It would be “hugely interesting” to be involved in an oversight role in another area that is heavily regulated.

“I do expect, though, on March 1, when the 12 months cooling-off is up, that I will work again in some shape or form in the area of data protection and digital regulation,” she added.

Asked if she would have done anything differently in her previous roles, Ms Dixon said she would have liked to spend more time leading conversations that engaged the public around issues in the digital age. These would include the tension between safety and privacy, or between national security and data protection.

“In reality, of course, my time was spent in the detail and the weeds of very, very large scale investigations and procedural wrangling, and sometimes political wrangling about Ireland and the DPC’s place in the EU order.”

Asked whether she believes there should be some carve-outs from GDPR for smaller companies, Ms Dixon said she had seen the challenges that SMEs had in trying to comply, but does not believe there is much scope for limiting obligations by company size.

“I think that risk-based approach in the GDPR is correct, because you can have risks to individuals’ rights and freedoms…no matter the size of the organization,” she said.

“There were a couple of cases early on in the application of the GDPR that my office investigated, involving the child and family organisation Tusla. Vulnerable individuals that had been subject to abuse and even potentially violence, their location details were shared with exactly the person that they shouldn’t have been through a failure in redaction when documents were disclosed on foot a court order, or an access request.”