70% increase in data breach reporting post-GDPR
Commissioner for Data Protection, Helen Dixon, launched the first annual report of the new Data Protection Commission (DPC) covering the period 25 May to 31 December 2018, detailing the work of the Irish data protection authority following the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018.
Highlights of the 2018 Annual Report include:
- 2,864 complaints were received. In total, 4,113 complaints were received in the 2018 calendar year representing a 56% increase on the total number of complaints (2,642) received in 2017.
- 3,542 valid data security breaches were notified. In total, 4,740 valid data security breaches were notified in the 2018 calendar year representing a 70% increase on the total number of valid data security breaches (2,795) recorded in 2017.
- 136 cross-border processing complaints were received by the DPC through the new One-Stop-Shop mechanism that were lodged by individuals with other EU data protection authorities.
- Almost 31,000 contacts were received through the DPC’s Information and Assessment Unit.
- 31 own-volition inquiries were opened under the Data Protection Act 2018 into the surveillance of citizens by the state sector for law-enforcement purposes through the use of technologies such as CCTV, body-worn cameras, automatic number-plate recognition (ANPR) enabled systems, drones and other technologies.
- Work continued in relation to the special investigation into the Public Services Card (PSC).
- 15 statutory inquiries (investigations) were opened in relation to the compliance of certain technology companies with the GDPR.
- 32 new complaints were investigated under S.I. No. 336 of 2011 in respect of various forms of electronic direct marketing: 18 related to email marketing; 11 related to SMS (text message) marketing; and 3 related to telephone marketing. A number of these investigations concluded with successful District Court prosecutions by the DPC. Prosecutions were concluded during this period against five entities in respect of a total of 30 offences under the E-Privacy Regulations.
- The first stream of a public consultation on the processing of children’s personal data and the rights of children as data subjects under the GDPR was launched on 19 December 2018.
- In late 2018, the DPC commenced a significant project to develop a new five-year DPC regulatory strategy. This will include extensive external consultation during 2019, which will be central to the analysis, deliberation and conclusions on our enduring strategy.
- 900 Data Protection Officer notifications were received by the DPC.
- Staffing numbers increased from 85 at the end of 2017 to 110 at the end of 2018.
The Data Protection Commissioner, Helen Dixon, in publishing this report commented: “The rise in the number of complaints and queries demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data.”
Commenting on the impact the introduction of GDPR has had, Ms Dixon stated: “Although we are still in the stage of having to bust some myths and misunderstandings that have built up around the GDPR, we feel very optimistic about the improvements we will see in Ireland in personal-data-handling practices over the next few years.”
Looking forward, Ms Dixon commented: “We look forward to industry embracing Codes of Conduct and raising the bar in individual sectors in terms of standards of data protection and transparency, which is why we have launched a large-scale consultation around the processing of children’s data, the results of which will be reflected in a best practice guidance note for industry.
The Irish DPC has been in expansion mode for the past four years and we are not stopping now. Following a major recruitment campaign in 2018, 25 new staff had joined the DPC by the end of December, with a further 25 coming on board in January 2019, so that the DPC has grown to 135 staff. We will recruit an additional 30 staff this year in order to meet the demands of the tasks assigned under the GDPR and to deliver public value in what is an area of critical importance to society.”
DPC Annual Report 25 May - 31 December 2018