Out-Law News | 28 Feb 2019 | 4:07 pm | 2 min. read
The Data Protection Commission (DPC) has published its latest annual report (104-page / 2.36MB PDF), which covers the period from 25 May 2018, when GDPR took effect, to 31 December.
The report highlights an increase in the number of data protection complaints to the DPC since the GDPR took effect. The number of complaints raised in the period totalled 2,864 compared to 2,642 for the whole year in 2017.
The DPC said that the rise "demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data".
A further increase was also seen in the number of personal data breaches reported by businesses to the DPC post-GDPR. According to the figures, the watchdog received 3,687 data breach notifications between 25 May and 31 December 2018, although 145 of the cases were deemed not to meet the definition of a personal data breach under the Regulation.
The 3,542 valid data security breaches reported was 27% up on the number of data breaches reported to the DPC throughout all of 2017.
"The DPC’s experience generally is that most organisations engage with the DPC and accept our guidance around mitigating losses for affected individuals, communicating any high risks to them and learning lessons from the breach to avoid a repeat," the watchdog said in its report.
Helen Dixon, Ireland's data protection commissioner, said: "Although we are still in the stage of having to bust some myths and misunderstandings that have built up around the GDPR, we feel very optimistic about the improvements we will see in Ireland in personal-data-handling practices over the next few years."
Dublin-based data protection law expert Aoibheann Duffy of Pinsent Masons, the law firm behind Out-Law.com, said: "The significant increase in complaints to the DPC highlights the importance for businesses in having robust data protection policies in place, and in particular, being aware of their responsibilities in responding to data access requests, which remains the area attracting the highest number of complaints."
"Unauthorised disclosures accounted for almost 85% of the 3,542 valid data breach notifications received by the DPC. These figures serve as a reminder to businesses to have adequate safeguards in place to avoid unauthorised disclosure of personal data. In particular, businesses should exercise caution when using auto-fill functions in software and ensure additional measures are in place, such as on-screen prompts to double-check recipient details, so that personal data is not sent to the wrong person," she said.
According to the DPC, as of 31 December, it had 15 open statutory inquiries into whether multinational technology companies under its jurisdiction comply with data protection laws.
The report also outlined the post-GDPR prosecutions the DPC pursued in 2018 under the sister e-Privacy regime. It said five companies were prosecuted for a total of 30 offences under the e-Privacy rules, which lays out strict rules on electronic direct marketing.
The DPC also said that it is taking steps to help businesses take advantage of certification schemes and industry-led codes of conduct that the GDPR provides for.
"The DPC is also establishing a new unit to operationalise the important new mechanisms of certification and codes of conduct that have been introduced by the GDPR," it said. "The accountability principle is emphasised throughout the GDPR, placing the onus on organisations to be compliant and be able to demonstrate that compliance. Certification and codes of conduct will enable organisations to demonstrate compliance voluntarily. This new DPC unit dedicated to these mechanisms will work to encourage their take-up and facilitate organisations as far as possible in implementing them successfully."
At a pan-EU level, the DPC said it has been involved in drafting new guidelines alongside its partners at the European Data Protection Board to promote the use of certification and codes of conduct as tools for transferring personal data outside of the European Economic Area (EEA).