Data Protection Commission issues Annual Report for 2020

• Ireland

• Privacy, data protection and cybersecurity

25-02-2021

The Data Protection Commission (“DPC”) has today published its annual report for 2020.

2020 marks the second full year of application of the GDPR. The annual report provides an insight into the work of the DPC during this period, key areas of interest the DPC has identified and information on the number of data breaches, complaints, enquiries etc received by the DPC during this time.

Some key areas of interest in the DPC annual report include:

• Data breaches – 6,628 valid data security breaches were notified to the DPC in 2020. 110 additional cases were deemed non-breaches as they did not meet the definition of a personal-data breach under GDPR. The number of data breach notifications remains high but the DPC highlighted the benefits of mandatory breach notification which allows the DPC to gain insight into the risks arising in organisations and provide guidance where appropriate;

• Cyber attacks - The DPC noted an increase in cyber-attacks through social engineering and phishing attacks to gain access to ICT systems of data controllers and processors. While it found many organisations had initially implemented effective ICT security measures, there was a lack of proactive steps taken to continuously monitor and review these measures to detect threats. This demonstrates how important it is for organisations to not only have appropriate incident management responses in place, but to continue to undertake periodic reviews and ensure employees regularly undergo refresher training to mitigate risks and raise awareness;

• Statutory inquiries – As of 31 December 2020, the DPC had 83 statutory inquiries on hand, comprising of 56 domestic inquiries and 27 cross-border inquiries. These inquiries are either complaint based or part of the DPC’s own volition inquiries;

• Complaints – 4,660 complaints under the GDPR were received in 2020. Complaints made by individuals against organisations to  the DPC ranged from issues such as securing access to personal data, excessive personal data collection and unauthorised and unnecessary disclosure of personal data to third parties. The DPC noted that cases concerning employment law disputes continued to be a common theme in the number of complaints received by the DPC;

• Misuse – The DPC noted an unwelcome trend of organisations and individuals attempting to misuse the GDPR to pursue other agendas. The DPC noted its intention to ‘call out’ over time any inaccurate assertions in circulation. One such example given was of organisations deleting CCTV footage after being on notice of an access request concerning that footage, claiming the GDPR required deletion after 7 days;

• Data protection and disputes – The DPC also highlighted a common feature of complaints received continue to have little to do with data protection issues and display the need for individuals to have access to  an independent and accessible dispute resolution service for general grievances. Such complaints include events associated with working environment, medical treatment, relationship disputes, problems with neighbours and even how a child was dealt with at school following an incident with another child. The DPC stressed that it cannot operate outside its statutory remit and to do so would run the risk of data protection regulation, as intended, becoming ‘the law of everything’.

The annual report provides useful guidance for organisations on their obligations under data protection law and maintaining compliance with same. It once again highlights the importance of organisations having clear policies and procedures in place for data protection purposes.

The full annual report can be found on the DPC website here.

Should your organisation have any data protection queries or wish to discuss any concerns, we are happy to assist and support your organisation through any issues.