According to a story first reported by the Irish Times on the 23rd of July 2019, it appears that the reach of the General Data Protection Regulation may extend to a form of record keeping that few would have envisaged as relevant when the regulation was first drafted: The visitor books of some of Ireland’s best-known heritage sights.
Ireland’s Office of Public Works (OPW) has expressed fears that such books may leave the state vulnerable to claims that it is in breach of the GDPR.
The visitor books of many heritage sites (which include landmarks, museums, and cathedrals for example) invite visitors to leave brief remarks which typically describe how much they have enjoyed their visit. Crucially however, in some cases people are also encouraged to leave their names and even addresses.
The GDPR has been in force across the European Union since the 25th of May 2018. Member states retain some flexibility in certain areas and can make their own precisions in these spheres. Under the Irish Data Protection Act 2018 the maximum fine for public bodies that fail to adhere to the rules is €1 million.
Famous Irish tourism sites including Kilmainham Gaol, Dublin Castle and Muckross House have already instructed staff to take the books away.
Are the Irish authorities being overly cautious? GDPR expert Daragh O’Brien from the Castlebridge consultancy firm certainly believes so. While noting that the the scope and impact of the GDPR is a real issue that private firms and public authorities need to respond to, he feels that the decision to remove visitor books from heritage sites is an “Illogical response to a logical question”.
Speaking to the Irish Examiner newspaper, Mr O’Brien stated that; “There isn’t an awful lot of personal information in a visitor book and the OPW could have managed the risk by simply putting up a sign advising people to put the bare minimum information about themselves – their name and the country they’re from – in the visitor book but still allowing the OPW to have that opportunity to capture the sentiment of visitors about some of our leading heritage sites.”
Will the new policy be adopted by national authorities throughout the other member states of the European Union? That remains to be seen, however even though Mr O’Brien feels that the OPW has over-reacted to the perceived liability, his words do acknowledge that there is indeed a small risk to be “managed” by authorities, and that while minor in this particular circumstance, action needs to be taken in order to ensure GDPR compliance.