Data Protection Commission publishes first annual reportFriday, 01 March 2019
The new office of the Data
Protection Commission (“DPC”) was established on 25 May 2018, at the time of
the commencement of the General Data Protection Regulation ("GDPR")
and the Data Protection Act 2018. On Thursday, 28 February the DPC published their first
annual report covering the period 25 May 2018 to 31 December 2018.
- 2,864 complaints were received, with the largest single category being “Access Rights.”
- While the majority of complaints continued to be amicably resolved, the DPC issued a total of 18 formal decisions. Of these, 13 upheld the complaint and 5 rejected the complaint.
- 32 new complaints were investigated under S.I. 336 of 2011 in respect of various forms of electronic direct marketing: 18 related to email marketing; 11 related to SMS (text message) marketing; and 3 related to telephone marketing.
- 3,542 valid data security breaches were recorded, with the largest single category being “Unauthorised Disclosures.” 38 of the data breaches related to 11 multinational technological companies.
- The Special Investigations Unit ("SIU") opened 31 own-volition inquiries under the Data Protection Act 2018 into the surveillance of citizens by the state sector for law-enforcement purposes through the use of technologies such as CCTV, body-worn cameras, automatic number-plate recognition enabled systems, drones and other technologies. The SIU also continued its work in relation to the special investigation into the Public Services Card of the Department of Employment Affairs and Social Protection.
- 15 statutory inquiries (investigations) were opened in relation to multinational technology companies compliance with the GDPR.
- The first stream of a public consultation on the processing of children’s personal data and the rights of children as data subjects under the GDPR was launched on 19 December 2018, with the closing date extended to 5 April 2019.
- The DPC received 900 Data Protection Officer notifications.
DPC Focus for 2019:
- Enhancing the quality and responsiveness of the Information and Assessment Unit (“IAU”).
- The SIU was established in 2015 to carry out investigations of its own initiative as opposed to complaints based investigations. In 2019, the focus of the SIU’s work will be carried out through own-volition inquiries.
- In late 2018, the DPC established an advanced technology evaluation and assessment unit (the Technology Leadership Unit ("TLU") with the objective of supporting and maximising the effectiveness of the DPC’s supervision and enforcement teams in assessing risks relating to the dynamics of complex systems and technology. Throughout 2019, the TLU will undertake “sweeps” or data controller surveys that will inform the DPC of compliance activities; desktop studies evaluating data subjects’ perspectives of data controller compliance efforts; and research into contemporary matters such as artificial intelligence and machine learning, encryption, digital ledger technology, digital assistants and identity management and authentication technologies.
- In Q2 2019 the DPC will roll out supports for a DPO network in Ireland.
- Providing legislative observations has become a key role of the DPC’s consultation function following the application of the GDPR and the enactment of the Data Protection Act 2018. It is anticipated that this function will grow substantially in 2019.
- The DPC’s new consultation team is tasked with providing guidance to data controllers in the charity and voluntary sector and plans to issue targeted guidance for the charity sector in the Q2 and Q3 of 2019.
- The DPC is also establishing a new unit to operationalise the important new mechanisms of Certification and Codes of Conduct that have been introduced by the GDPR.
- In 2019, the DPC will continue to engage with companies on transparency standards. Other priorities for the sector will include engagement with the financial and insurance sectors to better understand the application of emerging technologies to their data-processing operations, and the ongoing monitoring, including statutory consultation where required, of proposals to implement national banking and insurance fraud databases.