The Data Protection Commission (DPC) has, on 24 February 2022, published its third annual report since its inception. The Annual Report 2021 highlights several achievements and large-scale inquiries that the DPC has concluded during 2021. The DPC observed a high volume of complaints (an increase of 7% from 2020) and reported data breaches and predicted that those numbers will rise in 2022. The article will focus on four significant observations made in the report: First, the article will outline some observations made by the DPC regarding common issues faced by organisations on the management of the Subject Access Requests (SARs). Second, the focus will be on trends in data breaches and third, an update on the progress made by the DPC on cookies investigations. Lastly, the article will touch upon the objectives of the five-year Regulation Strategy of the DPC for Ireland.
DPC observations on SARs:
From the total of 3,389 complaints received by the DPC, a major chunk forming 42% were concerning data subject access requests. The DPC observes a repeated trend from 2020 that controllers have difficulties in responding to SARs adequately, and, as a consequence, the DPC found that most complaints were related to this aspect. DPC Investigations have revealed that controllers:
- Often do not perform an extensive search for the data requested by the individual;
- Have not explained the specific reason for not disclosing data to the individual;
- Have failed to respond to the data access request within the statutory timeline.
To address this trend, the DPC intends to commence enforcement actions against all defaulting controllers, including controllers that do not adequately respond to data subjects or to the commencement of proceeding notices issued by the DPCs.
DPC observations on Breaches:
The DPC received a total of 6,616 data breach notifications in 2021, of which only 6,549 were considered valid by the DPC. In comparison between 2020 figures against the 2021 figures, the following trends are evident:
- The number of valid data breaches is down by 2%; and
- Similar to last year, unauthorised disclosures amounted to the highest category of data breaches notified.
The DPC also observed that a disproportionately large number of breaches, (a total of 2,707) had been reported by organisations that fall within the public sector in Ireland. The investigations have revealed that the existence of poor operational practices and human error, such as the inclusion of the wrong attachment in digital or physical correspondence, was the leading cause of many reported data breaches.
Following consultation, the DPC has rolled out a new breach notification form in 2021. The updated notification form contains a questionnaire that aims to establish whether the breach results in cross border ramifications. Another noteworthy change is the requirement to disclose the technical and organisational measures in place before and following the occurrence of a data breach. These additions will enable the DPC to immediately analyse breaches and suggest swift measures to mitigate and prevent future similar occurrences.
Another notable change from 2021 is the DPC’s decision to only issue an acknowledgement of notification of breaches and to stop automatically initiating further engagement. The DPC will therefore, not be conducting a risk or impact assessment, and no mitigation measures will be issued to the controllers, as was previously the case. However, the absence of communication and further engagement should not be misconstrued as a satisfactory assessment by the DPC regarding the issue. This indicates a sharp shift towards prioritising enforcement actions in the forthcoming year.
DPC observations on Cookies:
The DPC continued to carry out its cookie sweep in 2021, and found controllers continued to set tracking and advertising cookies without consent. The DPC also found that several controllers followed the approach of a cookie wall wherein the banner obstructed access to information on the webpage and contained a pre-ticked check box indicating consent for cookies on the part of the individual. The DPC emphasises the need for the effective implementation of legislation such as the proposed Digital Services Act, Digital Markets Act and the e-Privacy Regulation to bring about visible change, as the trends from 2020 have continued in 2021. The DPC indicated the cookie sweep and investigations will continue in 2022.
A new-five year strategy for the DPC
The DPC had published a new five-year strategy for 2022 to 2027 and continued to increase access to guidance through its website and LinkedIn profiles. The scheme revolves around five key objectives:
- Regulate with consistency and efficiency;
- Safeguard individuals and other vulnerable groups;
- Promote data protection awareness;
- Bring clarity to stakeholders with respect to their obligations; and
- Supporting organisations in compliance.
Conclusion
As we move into another year with the GDPR, the need for organisations to establish and embed an effective data protection compliance framework is becoming increasingly evident. As we progress through 2022, organisations can improve their data protection compliance by:
- Incorporating targeted additional requirements in policy and procedure to streamline responses to SARs and notify data breaches;
- Obtaining assurance as to how effective their policies, procedure and processes are in practice (e.g. audits and key performance indicators);
- Rendering specific and bespoke training to targeted employees on a recurring basis to improve awareness and accountability; and
- Formulate compliance frameworks to elevate the level of data protection maturity from a policy implementation perspective.
These measures would be helpful in transforming data protection from a one-dimensional compliance exercise into a strategic and business as usual requirement. In turn, this approach builds organisational resilience and helps to prevent future data protection challenges.
Trilateral’s Data Governance and Cyber-Risk Team has significant experience supporting organisations in implementing appropriate security measures regarding personal data and/or raising internal awareness of the importance of data protection. We offer a range of data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. Please feel free to contact our advisors for more information, who would be more than happy to help.