Helen Dixon, Data Protection Commissioner ("DPC"), reflected on a busy year for her office in 2017. GDPR preparation undoubtedly contributed to the busy workload for her Office. There were also various court proceedings about important aspects of data protection interpretation.

During the year, there was a lengthy hearing with regard to the use of Standard Contractual Clauses (a key method used by businesses for carrying out international data transfers), with a request for a reference to be made to the Court of Justice of the EU (CJEU) for a ruling on the issue (read our report here). Abroad, there was the first review of Privacy Shield, with a positive finding that it continues to ensure an adequate level of data protection (read our report on the EU-US Privacy Shield here).

The DPC noted the growing importance of having adequate data protection and privacy laws in place. This is evident in the increased protections for individuals under the GDPR.

Highlights of the Commissioner's Annual Report for 2017:

  • total complaints received in 2017 was 2,642, up from 1,479 in 2016 (a 79% increase) with the largest single category being “Access Rights” which made up 1,372 (or 52%) of the total;
  • 2,795 valid data security breaches were recorded in 2017, representing an increase of 26% on the number of breaches recorded in 2016;
  • there was strong strategic engagement with the Article 29 Working Party with all plenary and subgroup meetings actively contributed at. The DPC acted as lead rapporteur on the GDPR transparency guidance;
  • there was extensive engagement with the Department of Justice and Equality providing observations and technical clarifications on what will become the Data Protection Act 2018;
  • a dedicated GDPR Awareness and Training Unit was established in 2017 with responsibility for driving the DPC’s awareness activities;
  • the DPC’s Special Investigations Unit conducted reviews of the Private Investigator sector and also the Hospital sector, while the DPC also continued its supervision of multinational companies; and
  • electronic marketing offences were clamped down on in 2017 resulting in 6 companies being prosecuted.

The Data Protection Commissioner's Goals for 2018:

  • build the capacity and capabilities of the DPC to reflect their enhanced role under the new GDPR and ePrivacy regime;
  • contributing at EU level through the Article 29 Working Party to the development of a harmonised interpretation of the new laws, preparation of GDPR guidance, and the evolution of the EU procedural framework for the new laws;
  • proactively targeting and engaging with public and private sector organisations, particularly in areas of highest risk and large-scale systemic data processing;
  • providing clear, high quality and timely guidance to data controllers and processors, including by maximising the use of social media and online communication channels; and
  • driving better compliance and accountability by organisations in upholding their obligations to data subjects.

For more information on the DPC's Annual Report for 2017, please see here.