Data Protection Commission Report for the First Full Year of GDPR
On February 20th, Ireland’s Data Protection Commission (DPC) published their annual report covering the first full year of GDPR. This report sets out the areas of focus and activities carried out by the DPC between 1 January 2019 – 31 December 2019.
The vast spectrum of issues raised within this report reflects challenges that organisations face while working through the minutiae of Regulation (EU) 2016/679 (‘GDPR’), the Data Protection Act 2018, S.I No. 336 of 2011 (‘the ePrivacy Regulations’) amongst other applicable laws in relation to data privacy.
A. Personal Data Breaches
According to the report, 6069 personal data breaches were reported with “unauthorised disclosure” accounting for the vast majority of notifications. The DPC noted a 71% increase in the notification of breaches in 2019. To put these figures into context, this level of reporting places Ireland as having the second highest level of breach notifications in Europe per capita.
In most instances, breach notifications to the DPC defined the root cause of breaches as “human error”. The most common errors causing breaches were:
- Emails or letters sent to the wrong recipient;
- Administrative processing errors;
- Verbal disclosures;
- Paper lost or stolen; and
- Unauthorised access to personal data in the workplace.
In many cases, when organisations attribute breaches to human error they may view them as unavoidable. However, organisations can address these by putting measures in place to significantly reduce the occurrence of human error, including:
- providing targeted training, including quality checks in processes where mistakes have occurred previously; and
- updating procedures to govern and restrict the access to and the use of both electronic and paper files.
Other issues identified by the DPC in the areas of breaches concerned late notifications, difficulty with assessing the risks to the data subjects, failure to communicate the incident to the data subjects, repeat breach notifications and inadequate reporting.
In 2019, 7215 complaints were received by the DPC, an increase from 4113 complaints received in the previous year. 165 new complaints were investigated under S.I. No. 336 of 2011 concerning electronic direct marketing.
Complaints under GDPR in 2019
Access requests continue to be the most common complaint; accounting for 29% of complaints received in 2019.
Almost 48,500 contacts were received through the DPC’s Information and Assessment Unit, including 22,000 calls and 22,300 emails. This level of contact with the DPC reflects a strong engagement from organisations and the continuation of a high level of public interest in data protection. Responding to this growing public interest, the DPC published their “Does GDPR Really Say That?” series of blog posts, covering topics such as “Does GDPR prevent my hairdresser from telling me what hair dye has been used on me?” and “Do I need consent to create a name badge?” A very clear, common sense approach has been communicated by the DPC over the course of the last year, highlighting the need to maintain compliance but also to ensure measures are balanced and workable.
D. Cookies Sweep
A targeted review of cookie compliance under GDPR and the ePrivacy Regulations commenced in 2019. This is an area which we have previously provided guidance on including what steps an organisation can take to address cookies compliance. After the recent Planet49 ruling, it is clear that pre-ticked boxes and assumed consent is not acceptable. The DPC have warned against placing cookies directly on a user’s device before attaining valid consent and highlighted the need to provide complete information on the use of all cookies.
In 2019, six statutory investigations were opened in relation to multinational technology companies’ compliance including companies such as Facebook, Twitter, Google and Apple Distribution International. The DPC also opened 14 domestic investigations, focusing on educational institutions, financial services and social services. Investigations covered a wide variety of areas including, cross-border processing, advertising, security and transparency obligations.
F. Outlook 2020
The year 2020 will likely bring the outcome of a number of investigations, particularly those focusing on multinationals in the technology sectors. Fines from the regulator are expected over the course of the next reporting period.
Transfers to third countries will continue to remain on the agenda. In light of the recent opinion on the use of Standard Contractual Clauses (SCCs), organisations may continue to use these amongst other transfer mechanisms. This will come as a relief for EEA/EU organisations relying upon SCCs for transfers to the UK.
This report acknowledges this uncertainty and the challenges that organisations face when implementing accountability across the board. However, the tone from the DPC is firmly that organisations will need to “move off from the first principles of GDPR”. We expect to see further focus from the DPC on how organisations are closing off gaps in their compliance over the coming year.
If your organisation requires assistance in closing these gaps in 2020 or wishes to strengthen the current measures already in place, Trilateral’s Data Protection and Cyber Risk Team are happy to assist, feel free to get in touch with one of our Advisors.
Stacey Williams, Data Protection Advisor at Trilateral Research