The recent Annual Report 2020 from the Data Protection Commission (DPC) highlights a number of trends in data protection within an Irish context. We summarise the trends from the report below:
In respect of complaints received, Access Requests continue to make up almost a third of all complaints received under the GDPR.
Common issues that arise include the failure to:
- respond to the Access Request;
- meet statutory timelines; or
- return a complete Access Request.
It should also be noted that complaints submitted relating to Access Requests often challenge the use of exemptions under data protection law. As demonstrated in jurisprudence, exemptions such as disproportionate effort or refusal to provide all artefacts may only be relied upon in exceptional circumstances. Furthermore, even where exemptions appear applicable, the use of those exemptions may still be challenged in practice.
While the most common complaint categories remain relatively unchanged from previous years, the DPC highlights the growing trend in complaints relating to issues which “in truth, have little or nothing to do with data protection”. These issues included matters relating to an individual’s working environment, dealings with tradespeople or how a school handled an incident between two pupils. This trend reflects the growing awareness of the GDPR and the ability to utilise this legislation and its mechanisms for a remedy at a low cost or even no cost, to the complainant.
Complaints Received under the GDPR — Top 5 Issues in 2020
Categories of Complaints No % of total
Access Request 1683 27%
Fair Processing 1623 26%
Disclosure 793 12%
Direct Marketing 429 7%
Right to erasure 423 7%
This year’s report includes 21 case studies based on various engagements covering topics such as the use of employee personal data, social media and breach notification outcomes. Two case studies have been selected that relate to the use of personal data within an employment context.
A) Purpose limitation and employee photographs
Case Study 1 (p.22) details a complaint from a public sector employee regarding the use of a photograph within a workplace newsletter. The DPC asserted that the photograph was not used in a way that was compatible with the purpose for which it was collected in the first place. While the DPC acknowledged that the infringement of the data subject’s rights, in this case, was “not significant”, its findings sets further precedent regarding the ability for employers to use personal data relating to staff. This case study serves as a reminder of the potential pitfalls of repurposing personal data and, in particular, where the data relates to employees under contract.
B) Customer details shared through WhatsApp
As detailed in Case Study 15 (p.40), an employee of a private financial sector organisation erroneously used WhatsApp to provide a customer with their IBAN and BIC. Under the circumstances of this case, the employee felt comfortable doing so as the recipient was personally known to them. The employee failed to recognise the risks associated with taking organisational information off the approved systems and deviating from proper procedure. The incident was further compounded by the fact that the customer’s details shared were incorrect and thus resulted in a breach notification and an apology to the affected customer.
The DPC issued a number of recommendations relating to the use of approved communication tools and ensuring awareness among staff. Organisations should take steps to ensure that their polices restrict the use of unauthorised applications and unauthorised means of transferring data. Furthermore, it is important to ensure that all staff are aware of the importance of these measures (for example, via information security training), as it is common for individuals to underestimate the risks associated with using such applications for business purposes. Organisations should also consider technical measures to prevent staff from downloading prohibited applications to corporate hardware.
Regulatory focus: cookies investigation and enforcement (p.55)
The DPC conducted its first cookies sweep between August 2019 and December 2019; the results of which were published in April 2020. In response to these findings, a grace period to comply was provided, which expired on the 6th of October 2020.
While the need for consent for non-essential cookies was widely understood, the additional requirements such as removing pre-ticked boxes may not have been. Furthermore, once organisations became aware of the extent of these requirements, the technical implementation raised challenges in and of itself. As it is likely that the DPC will continue their focus on cookie compliance into 2021, organisations should take this time to ensure their previous cookie compliance efforts are working in compliance with the current requirements.
Over the past year, trends in data subject complaints and breaches remained largely unchanged while there was a marked increase in more complex issues such as the use of social media platforms and messaging tools, the increase in individuals using GDPR to address other issues and the nuances of certain interpretations such as the use of employee photography. As we move into another year with the GDPR, the need for organisations to each establish and embed an effective data protection compliance framework is only becoming more and more evident.
Moving into 2021, organisations can improve their data protection compliance by:
- incorporating targeted additional requirements in policy and procedure; and
- obtaining assurance as to how effective their policies, procedure and processes are in practice (e.g. audits and key performance indicators).;
These measures assist in transforming data protection from a one-dimensional compliance exercise into a strategic and business as usual requirement. In turn, this approach builds organisational resilience and helps to prevent future data protection challenges. If you wish to discuss how to improve your organisation’s resilience, you can do so by contacting us through the Data Governance and Cyber-Risk Team page.