In this excerpt from GDPR – One Year On, Alice Turley discusses the impact of the GDPR (General Data Protection Regulation) in Ireland.
Data breach notifications in Ireland
Figures from the DPC’s (Data Protection Commission) first annual report show that a total of 4,740 valid data breach notifications were received in 2018. This is a 70% increase on the 2017 figure of 2,795.
There were also 4,113 complaints in 2018, 70% of which were received after 25 May 2018, the GDPR enforcement date. In comparison, 2,642 complaints were made in 2017.
Taking these figures into account, it seems people are more aware of their rights since the GDPR came into force. A recent report from the European Data Protection Board supports this, with most supervisory authorities seeing a rise in queries and complaints last year compared to 2017.
According to the Special Eurobarometer 487a report, 67% of EU citizens polled have heard of the GDPR, although just 36% of these are aware of what the Regulation entails.
In addition, 57% indicated that they are aware of the existence of a public authority in their country that is responsible for protecting their data protection rights – a 20% increase since 2015.
Data breach types
According to the DPC, of the data breaches notices from 25 May to 31 December last year, 85% were the result of disclosure. Disclosure is when a data subject’s personal data is disclosed in error, such as an email or letter sent to the wrong person.
Speaking at the Association of Compliance Officers in Ireland conference this year, Niall Cavanagh, the DPC’s assistant deputy commissioner, advised that the autocomplete function in email has caused a considerable number of data breaches.
Meanwhile, 3% of notifications related to phishing – attacks that could have been prevented if staff had been aware of how to recognise a phishing email.
65% of notifications came from the private sector and 35% from the public sector.
The DPC’s report outlines several case studies where a breach has occurred, advising that each one could have been prevented if appropriate technical and organisational measures had been implemented.
Appointment of a data protection officer
Under the GDPR, an organisation is required to provide the supervisory authority with the name and contact details of its DPO (data protection officer).
By 31 December 2018, the DPC had received 900 DPO notifications. It also had 15 open investigations into certain multinational technology organisations.
DPCs’ ongoing investigations
Speaking to the Irish Times in May, Helen Dixon, Ireland’s recently reappointed Data Protection Commissioner, revealed that the DPC now has more than 50 open investigations, spanning domestic companies, public–sector bodies and US technology giants.
17 of these open investigations are focused on multinational technology companies that have their headquarters in Ireland. Eight investigations involve Facebook.
It’s important to note that the final decision on multinational technology companies must be approved by all 28 EU data protection commissioners. That withstanding, Dixon has indicated that fines are coming towards the end of summer and are likely to be substantial.
This is an excerpt from Alice Turley’s webinar ‘GDPR – One Year On’. To view the full webinar, click here.
Alice is a qualified data protection, compliance and insurance professional, consultant and trainer. She is highly experienced in data protection, consumer protection and compliance, providing expert and solution-based advice to organisations within the insurance, advertising and education industries.