The GDPR and the DPC 2018-2020

A recently published report shines light on the GDPR and the work of the  DPC 2018-2020.  In a previous blog we looked at the GDPR and the work of the DPC a year into the operation of the regulation.  Following that, we discussed in another blog how, although the early awareness of the new regulation had waned, GDPR had not gone away. Now it has been two years since the regulation came into effect and time to re-examine some aspects of this novel regulation. Unfortunately the Covid-19 pandemic continues. We will return to data protection issues within this context in an upcoming blog post, and a focus will be some  recent developments and updates  from the DPC in relation to transfer of data to the US.

The DPC has released a report which sheds light on trends and patterns that are emerging since the introduction of the GDPR. “Given its role as Lead Supervisory Authority to the various multinational organisations that are headquartered here, much attention is naturally given to Ireland’s regulatory activities in the realm of ‘big tech.”(DPC, 2018-2020 report at p.5). So, what has been the focus of the work of the DPC under the new regulatory regime? Have there been issues that have predominated?

“Though the same themes frequently re-occur – access issues, for example, being a consistent area of contention – there are nuances within each case that impact greatly on timescales and the resolution process”. The same is true of breach notifications, which the DPC also receives in consistently high numbers month-on-month.  In the two years since the GDPR came into effect, the DPC has received almost 12,500 breach notifications, of which 93% were found to be in scope of the GDPR. The DPC has processed and closed out almost 95% of these breach notifications. Despite the high volumes, the cases that have been assessed give no indication that organisations are over reporting. Rather, they suggest that many of the breaches that the DPC examines could have been prevented by more stringent technical and organisational measures at source…

It is important to bear in mind that “The DPC’s remit is not limited to regulation of the GDPR. It encompasses all data protection legislation currently in force in Ireland, which includes a significant but declining volume of legacy work falling under the 1988 and 2003 Data Protection Acts”. The rate of old “act cases” that come before the DPC is diminishing, relative to the rates that were seen in May 2018, and the expectation is that this natural decline will continue in accordance with the passage of time.

This DPC report is intended to assess the range of regulatory tasks of the Data Protection Commission for the period 25 May 2018 to 25 May 2020. It is distinguishable from the Commission’s Annual Reports in that it does not focus on the administration of the office. The report takes stock of the DPC’s experience of its mandated functions under the GDPR; its legal activities and the allocation of its resources in support of Article 57.1 (b)(d). To note, while the report refers in shorthand to “the GDPR”, it is in fact intended to cover the substantive roles of the DPC under the three main pieces of data protection legislation – the GDPR, the e-Privacy Directive and the Law Enforcement Directive as transposed in the Data Protection Act 2018. Since 25 May 2018, the most frequent GDPR topics for queries and complaints have consistently been: Access Requests; Fair processing; Disclosure; Right to be Forgotten (delisting and/or removal requests); Direct marketing and Data Security.

  • Total breach notifications received between 25 May 2018 and 25 May 2020: 12,437.
  • 93% classified as relating to GDPR (11,567 notifications).
  • Of the 12,437 total recorded breach cases, 94.88% concluded (11,800 cases). The most frequent cause of breaches reported to the DPC is unauthorised disclosure (80%).

The purpose of this two-year assessment is to provide a wider-angled lens through which to assess the work of the DPC since the implementation of the General Data Protection Regulation; in particular, to examine wider datasets and annual trends to see what patterns can be identified.

While the DPC – as is the case for many other stakeholders – could already make some observations about aspects of the GDPR and the one-stop-shop procedures that work less well, the purpose of the document is not to offer a critique at this juncture but rather to showcase what has – and is – being delivered.

  • Total breach notifications received between 25 May 2018 and 25 May 2020: 12,437.
  • 93% classified as relating to GDPR (11,567 notifications).
  • Of the 12,437 total recorded breach cases, 94.88% concluded (11,800 cases). The most frequent cause of breaches reported to the DPC is unauthorised disclosure (80%)

Regulating.

Since May 2018, the DPC has opened 24 cross-border inquiries and 53 national inquiries. In May 2020 the DPC issued its first fines under the GDPR, levying two separate fines against an Irish state agency. Also in May 2020, the DPC issued a reprimand to the agency and ordered it to bring its processing into compliance. In the same month, the DPC sent its first major-scale Article 60 Draft Decision to the EDPB. The DPC has concluded nine litigation cases since GDPR came into effect. Through Supervision action, the DPC has brought about the postponement or revision of six planned big tech projects with implications for the rights and freedoms of individuals.

Enforcing

  • An Garda Síochana – reprimand and corrective powers applied in accordance with the Data Protection Act, 2018.
  • Tusla; The Child and Family Agency – reprimand and fine applied in accordance with the Data Protection Act, 2018.
  • Tusla; The Child and Family Agency – reprimand and fine applied in accordance with the Data Protection Act, 2018.
  • Twitter – Inquiry completed and draft decision forwarded to EU concerned data protection authorities in accordance with Article 60 of the GDPR.
  • DEASP – Enforcement notice issued regarding the use of the Public Services Card (currently under appeal).
  • 59 Section 10 decisions issued.
  • 15,000 breach notifications assessed and concluded.
  • · 9 litigation cases concluded in the Irish Courts.
  • Hearing in CJEU Standard Contractual Clauses case brought by DPC to Irish High Court.
  • 80% of cases received under the GDPR have been concluded.

Mainstreaming Data Protection

Staff of the DPC have presented at over 330 stakeholder events since May 25 2018. Since the Coronavirus restrictions have been in effect, the DPC has continued to support stakeholder events through online participation. The DPC has committed to driving awareness of data protection rights and responsibilities, including over 40 guidance notes covering technological advice, GDPR compliance and direct marketing/electoral constraints.

Other Activity

Since May 2018:

  • The DPC has opened 282 new direct marketing complaints and concluded 247.
  • There have been  11 successful  prosecutions against companies  for a combination of 42 offences under S.I. No. 336/2011.
  • The office handled 66 Law Enforcement Directive complaints.
  • The DPC has successfully completed the EDPB consistency opinion process for both Code of Conduct monitoring bodies and for the additional requirements for INAB.
  • A Data Protection Officer Network has been established.
  • Irish DPC has partnered with the Croatian Data Protection Authority and Vrije University on an EU funded project specifically targeting SMEs.

Most Frequently Queried GDPR Topics

Since 25 May 2018, the most frequently raised GDPR topics for queries and complaints have consistently been:

  • Queries relating specifically to Access Requests;
  • General queries (unclassified) ;
  • Fair processing (including fair obtaining and further processing);
  • Disclosure (data shared with a third party);
  • Right to be Forgotten (delisting and/or removal requests);
  • Direct marketing; and
  • Data Security.

The single most cited data protection issue was access request with a total of 3,398 or 22.62% of all cases. Not far behind lies the field of ‘general query’ which accounted for 3245 cases or 22% of the total. Issues of fair processing and disclosure followed, with 15% and 12% of the total respectively.

Breaches

 Any organisation or body which makes use of personal data as part of its business – regardless of whether the data pertains to customers or staff – is deemed to be a data controller and ultimately accountable for the safeguarding of the personal information in its possession. Article 33 of the GDPR introduced several obligatory actions for data controllers, including mandatory notification of breaches to the appropriate data protection authority within 72 hours. In the two years since the introduction of this provision, the DPC has seen an exponential increase in the breaches being notified to it.

  • Total breach notifications received between 25 May 2018 and 25 May 2020: 12,437
  • 93% have been classified as relating to GDPR (11,567 notifications).
  • Of the 12,437 total recorded breach cases, 94.88% have been concluded (11,800 cases) and 5.12% are currently active (637 cases).

With the exception of a seasonal decline in December 2018, the number of breaches being reported to the DPC remained broadly consistent over the first 18 months of GDPR implementation. Q2 of 2020 shows an overall trend towards reduced breach notifications. It is not possible to attribute this decline to a particular cause, though it is likely that the number of breach notifications has been impacted by the Coronavirus crisis.

We saw earlier that by far the most frequent cause of breaches reported to the DPC is unauthorised disclosure (80%); whether by digital, verbal or other manual means. Manual processing – and consequently an inferred lack of robust processing procedures – is at the root of far more reported breaches than phishing, hacking or lost devices (5.6% collectively). As with the trends observed earlier in the queries and complaints that the DPC receives, the patterns within the recorded breach notifications indicate that there is also a significant volume of work that falls to the DPC, which could be mitigated by more robust technical and organisational measures being introduced by the data controller and the processes for testing, assessing and evaluating these measures being overseen by the data protection officer going forward.

At present, the DPC workload in the breach area is heavily influenced by the need to engage with organisations to address elementary processing liabilities, which are occurring at a very basic level. As we move forward in time, the DPC expects to see changed behaviours amongst its regulated entities, resulting in a reduction in the volume of breach notifications that can be attributed to a lack of due care and attention. Some examples are instructive.

Insufficient organisational and technical measures in place to secure data.

An organisation responsible for providing care to both children and adults with a range of support requirements notified the DPC of a breach in which it outlined that a wheelie bin containing the personal data of residents and staff of the facility had been removed from their premises and discarded on a neighbouring property. The individual who discovered the contents of the wheelie bin fly tipped on their property contacted the organisation after first inspecting the records to establish their origin. Following contact from the individual, the organisation arranged to retrieve the records and disposed of them in an appropriate manner. Based on the information provided by the organisation, the DPC raised a number of queries focusing on whether the organisation had policies and procedures for confidential disposal, and whether they were in place at the time of the incident.

The organisation advised that it did not have a specific confidential disposal policy in place; however, it did advise that the premises had shredding facilities in place to assist with the confidential disposal of records. On this occasion, these facilities were not utilised. The DPC highlighted that – as a data controller – it was the organisation’s responsibility to ensure that both appropriate organisational and technical measures are employed to ensure that the processing of personal data is done in a secure manner. The DPC also highlighted that the processing of personal data also encompasses both its erasure and/or destruction. The DPC recommended that the data controller undertake the following actions:

  • Complete a GDPR self-assessment to identify areas where immediate remedial actions are required in order to ensure compliance with GDPR.
  • Review their obligations as a data controller, in particular their obligation centering on the security of data.
  • Undertake an exercise to produce adequate policies and procedures in relation to the appropriate disposal of personal/sensitive records both in hard and soft copy. Based on the recommendations of the DPC the data controller has initiated a data protection compliance project to address the areas highlighted. The data controller committed to providing the DPC with updates in relation to the progress of this project and making available the necessary evidence of actions undertaken based on the recommendations provided. This is being monitored on an ongoing basis.

Data Processor Accounts Compromised

In October 2019, the DPC was notified by an Irish public sector body of a personal data breach, which had occurred as a result of a compromised email account which was being used by a data processor. This exposed the public sector body to the liability that personal data – including data subjects’ names, addresses, dates of birth, details of family relationships and biometric data – could be accessed by a malicious third-party while being sent to, or held in, the compromised account. The data processor was located outside the European Union and was using a locally hosted email provider.

The DPC engaged with the public body in order to determine what measures it had in place at the time of the breach to ensure that the processor took all precautions required, pursuant to Article 32 of the GDPR (security of processing). The DPC also sought to determine whether the arrangement between the public sector body and the processor was such as to require the processor to assist it in ensuring compliance with data security and personal data breach notification obligations, and to make available to the controller all information necessary to demonstrate compliance with data security obligations, as required by Article 28 of the GDPR. Following extensive engagement between the DPC and the public sector body in question, the DPC issued specific recommendations to the entity, including recommendations for technical measures to be implemented by third-party processors engaged by the public sector body.

In response to these recommendations, the public sector body informed the DPC that it is providing secure email addresses to relevant processors to replace locally hosted email accounts and is revising its conditions for the engagement of data processors, including specific requirements on data security and training. They have also provided the DPC with regular updates on the implementation of the DPC’s recommendations, including providing copies of relevant documentation. The DPC continues to engage on a regular basis with the relevant public sector body in order to monitor its implementation of these recommendations.

Unsecured Data Storage

In November 2019 the DPC, largely through media reports, was made aware of a potential data breach occurring in an Irish university. This potential breach could be traced to a manner in which large amounts of personal data, including payroll, bank details and PPS numbers, were in a location facilitating easy access by a very large number of people. The university was made aware of its obligations under Art.33 GDPR and following this quickly a breach to the DPC.

The DPC engaged with the university to determine who had access to the data, the level of supervision of those who had access, the nature and sensitivity of the data and finally what the university had done to respond to the breach. To prevent a repetition and to ensure that data was processed appropriately in the future, the DPC made some specific recommendations. In particular the DPC advised the data controller:

  • To review the level of physical security applied in respect of the personal data security facilities;
  • To ensure adequate access controls are put in place and, in particular, access to personal data being placed on a strict ‘need to know’ basis, with extra special care given depending on the nature and sensitivity of personal data;
  • To review its data retention policies taking care not to collect or retain unnecessary data and at the same time ensuring that the controller can record and track any archived data;
  • To provide regular and up to date training on data security.

The data controller took heed of all the recommendations and continues to engage with the DPC on a periodic basis.( at p.28 DPC report)

The point evidenced by the foregoing examples is that the DPC has been busy since the introduction of the GDPR but it seems only the higher profile investigations attract attention. Behind the scenes, and away from public view, many investigations commence, and most are brought to an appropriate conclusion in a timely manner. Results vary and not all investigations lead to sanctions.  Many case examples above display a willingness by the DPC to take a proportionate response.

Patrick Rowland, GDPRXpert.ie.

We are GDPR and Data Protection consultants with bases in Carlow/Kilkenny and Mayo, offering a nationwide service.

For more details visit www.gdprxpert.ie