The Data Protection Commissioner's annual report stresses that organisations must be prepared for 25 May 2018 when the EU General Data Protection Regulation (GDPR) comes into force. The report also emphasises the increase in the investigations and enforcement role of the office of the Data Protection Commissioner (ODPC).
Key points from the report include:
- Complaints, Investigations and Data Breaches
The report welcomes the improved standards of compliance that have resulted from the focus on enforcement by the GDPR.
The Office of the Data Protection Commissioner (ODPC) investigated 1,479 individual complaints in 2016. 56% of those complaints related to access requests. Complaints to the ODPC have increased dramatically from 658 complaints in 2006 to 1,479 in 2016.
The Special Investigations Unit had its first fully operational year in 2016. This unit conducts investigations on its own initiative, rather than investigations arising from complaints. Two prosecutions in 2016 resulted from the work carried out by this unit.
The ODPC received 2,224 data breach notifications in 2016, a decrease from 2,317 notifications in 2015. However, there was an increase in the number of network-security compromises and website-security breaches reported to the ODPC. The highest category of data breaches related to unauthorised disclosures, such as postal and electronic disclosures, the largest number of such breaches arising in the financial sector.
- Multinationals & Technology Team
The Multinationals and Technology team was established to supervise multinationals based in Ireland. All consultations, investigations and audits that relate to cross-border processing by multinationals falls within the remit of this specialised team.
In 2016 this unit investigated a variety of technology related complaints and identified the following three most common data protection issues:
- Data controllers not being fully aware of their obligations when engaging data processors or do not discharge such obligations fully
- Over-reliance on one type of security measure and not addressing other security vulnerabilities
- Misjudgement of attacks as innocent due to a lack of organisational standards
The Multinationals and Technology team will have an important role to play within the ODPC once the GDPR comes into force as the ODPC will be the lead data protection authority regulating multinationals established in Ireland. The report also highlighted that the ODPC initiated discussions with multinationals in relation to GDPR preparations. It is projected that this engagement will increase during 2017.
- Binding Corporate Rules
Binding corporate rules (BCRs) were introduced to ensure that intra-organisational transfers of personal data are compliant with data protection law.
During 2016 the ODPC acted as lead reviewer in seven BCR applications. The report predicts there will be an increase in BCR applications in the coming year given their use in transferring data under the GDPR.
- Expansion of the ODPC
Reflecting preparation for the new data protection regime, the ODPC has significantly expanded resources following an increase in its annual budget from €4.7m in 2016 to €7.5m in 2017. Staff numbers are also expected to increase in 2017.
With the increased focus of the Data Protection Commissioner on compliance and with the GDPR just around the corner, organisations with operations in Ireland and the EU should ensure that they are fully prepared for the new era in data protection.