Luck of the Irish? Data Protection Commission of Ireland Publishes Annual Report

As shared by the Commissioner for Data Protection, Helen Dixon, “The progress the DPC has made in 2020 provides a solid platform on which to build across our enforcement and complaint-handling functions in particular. The GDPR must be understood as a project for the now, but equally for the longer-term. The DPC intends to continue as a leader in its full implementation.”

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Content Assessment: Luck of the Irish? Data Protection Commission of Ireland Publishes Annual Report

Information - 95%
Insight - 95%
Relevance - 90%
Objectivity - 95%
Authority - 100%

95%

Excellent

A short percentage-based assessment of the qualitative benefit of the post highlighting the February 2021 published annual report for 2020 by the Data Protection Commission (DPC) Ireland.

Editor’s Note: The Data Protection Commission (DPC) is the Irish supervisory authority for the General Data Protection Regulation (GDPR). It also has functions and powers related to other critical regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive. Recently the Commissioner for Data Protection, Helen Dixon, launched the Irish Data Protection Commission’s Annual Report for 2020. In this recently published report (February 25, 2021), DPC Ireland details the extensive span of regulatory work completed during its discharge of duties in the role of overseeing and regulating the application of EU data protection and e-privacy laws. As part of that detailing of work, the DPC shares details about breach notifications to the DPC during 2020. As data and legal professionals operating in the eDiscovery ecosystem seek to understand the market impact and opportunities driven by data breaches, they may benefit from the details and data points shared in this important annual report.

DPC Ireland 2020 Annual Report*

An Extract on Breaches (Chapter 3)

The number of breach notifications to the DPC remained high in 2020 but the DPC is more convinced than ever of the value of the mandatory requirement to notify under the GDPR. It allows the DPC to gain insights into the risks around the security and processing of personal data arising in organisations on a case-by-case basis and to intervene and guide on mitigation measures around those risks, where appropriate. In general, the responses we receive from organisations encourage the DPC in the view that most organisations want to comply and value the input of the DPC.

Breaches Under the GDPR

In 2020, the DPC received, 6,783 data-breach notifications under Article 33 of the GDPR, of which, 110 cases (2%) were classified as non-breaches as they did not meet the definition of a personal-data breach as set out in Article 4(12) of the GDPR. A total of 6,673 valid data protection breaches were recorded by the DPC in 2020, representing an increase of 10% (604) on the numbers reported in 2019. 

As in other years, the highest category of data breaches notified under the GDPR were classified as Unauthorised Disclosures and accounted for 86% of the total data-breach notifications received in 2020. The majority of breaches occured in the:

  • Private Sector: 4,097
  • Public Sector: 2,559
  • Voluntary: 16
  • Charity: 1
  • Total: 6,673

The DPC also saw an increase in the use of social engineering and phishing attacks to gain access to the ICT systems of controllers and processors. While many organisations initially put in place effective ICT security measures, it is evident that organisations are not taking proactive steps to monitor and review these measures, or to train staff to ensure that they are aware of evolving threats. In these instances, we continue to recommend that organisations undertake periodic reviews of their ICT security measures and implement a comprehensive training plan for employees supported by refresher training and awareness programmes to mitigate the risks posed by an evolving threat landscape.

Data Breach Notifications by Category

  • Disclosure (Unauthorised): 5,837
  • Hacking: 146
  • Malware: 19
  • Phishing – Including Social Engineering: 74
  • Ransomware/Denial of Service: 32
  • Software Development Vulnerability: 5
  • Device Lost or Stolen (Encrypted): 19
  • Device Lost or Stolen (Unencrypted) 29
  • Paper Lost or Stolen: 275
  • E-Waste (Personal Data Present or Obsolete Device: 1
  • Inappropriate Disposal of Paper: 21
  • System Misconfiguration: 40
  • Unauthorised Access: 146
  • Unintended Online Publication: 61
  • Other: 78
  • Total: 6,783

E-Privacy Breaches 

The DPC received a total of 70 valid data-breach notifications under the e-Privacy Regulations (SI No. 336 of 2011), which accounted for just over 1% of total valid cases notified for the year. 

LED Breaches 

The DPC also received 25 breach notifications in relation to the LED, (Directive (EU) 2016/680), which has been transposed into Irish law by certain parts of the Data Protection Act 2018. 

DPC Assessment of a Breach 

Once a breach notification is lodged with the DPC, the DPC assesses it taking account of multiple aspects of the breach and the risks it poses. The first of these is the nature of the breach, including whether it was intentionally or accidentally caused, whether data was exfiltrated or made inaccessible, and the modes of technology and organisation involved. A history of breaches of a particular type may indicate a systemic issue affecting an individual data controller, a particular location or an entire economic sector. Characteristics of the personal data involved are central to the DPC’s assessment. These include the types, format and sensitivity of the personal data, the number of persons and records affected, and the potential for the data to be read or disseminated. The DPC will look at whether aspects such as profiling, automated decision making, monitoring or tracking has been taking place. 

Similarly, categorisation of the data subjects — such as whether they are children or vulnerable persons — and characteristics of the data controller and/or processor, such as statutory responsibilities or processing of other types of personal data, can be highly significant. The volume of data subjects and the location of these data subjects is taken into account. 

Other factors to be considered are the potential harms to data subjects resulting from disclosure, misuse or loss of personal data affected by the breach. This aspect of risk assessment is often overlooked by data controllers. Harms can range from temporary inconvenience to very serious risks, such as identity theft, financial loss, and misdiagnosis of medical conditions or reputational damage. The DPC will consider what the impact to the affected individuals is, including the severity, scope and context of the persons. 

Finally, the DPC assesses mitigating factors, such as whether backups are available, vulnerabilities are addressed, and whether the data is retrieved or further disclosure prevented. Often data controllers do not implement simple measures such as encryption of information shared via email, ensuring that all IT security measures are in place but also kept regularly updated. These factors are taken into consideration in the assessment. 

If the facts are not fully known or remain unclear after the DPC’s initial assessment of a breach, they will continue to engage with the controller until such time as all matters have been responded to, to the satisfaction of the DPC. In some cases, the controller or processor may be asked to reassess the causes and consequences of the breach and report on its findings. Breaches involving complex IT issues may require assessment and analysis by the DPC’s technical specialists. In cases where the controller has either produced or commissioned a technical report or investigation report on the breach, a copy of this will be requested.

Pending completion of its investigation, the DPC may direct and monitor progress — on a rolling basis — of measures implemented to remedy or mitigate the effects of the breach. These could include informing data subjects of the breach under Article 34 of the GDPR, or the implementation of technical or organisational measures to address vulnerabilities. 

Based on its assessment and on the controller’s actions to prevent or mitigate against further similar incidents, the DPC may conclude its investigation at this point. If the DPC is not satisfied with the mitigations or responses from the controller, it can escalate the matter for further investigative/enforcement action.

Review the Complete Report (PDF)

DPC 2020 Annual Report (English)

Read the original post via the Data Protection Commission (DPC Ireland) website.

Copyrighted information note shared by permission according to the Re-use of Public Section Information

Additional Reading

Source: ComplexDiscovery

Interested in Contributing?

ComplexDiscovery regularly reports on key cyber, data, and legal discovery business spheres of interest ranging from market size and mergers to business confidence and vendor developments.

We do not offer ads on the website but like to support our work with voluntary contributions from those who enjoy and benefit from the research, news, and articles shared. Your support is greatly appreciated and will be directly used to support our publishing efforts for our dynamic community of cyber, data, and legal discovery professionals.

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights cyber, data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

[Legal Education Webcast] Breaches, Responses, and Challenges: Cybersecurity Essentials That Every Lawyer Should Know

Every large corporation and organization today face the significant threat of...

Classifying Ransomware? A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures

This paper evaluates attack methodologies of a ransomware attack: the underlying...

Thwarting Architectural Imbalance? Considering Dynamic Distributed Secure Storage Against Ransomware

In this paper, the authors focus on ransomware, which is a...

Considering Ransomware Risk Management? A Cybersecurity Framework Profile from NIST

Ransomware is a type of malicious attack where attackers encrypt an...

Magnet Forensics Acquires DME Forensics

According to the announcement, under the terms of the agreement, Magnet...

Consilio to Acquire Legal Consulting and eDiscovery Business Units of Special Counsel from Adecco

According to Laurie Chamberlin, Head of Professional Recruitment and Solutions North...

Nuix Acquires Natural Language Processing Company

According to Nuix CEO Rod Vawdrey, “Topos will strengthen Nuix’s product...

UnitedLex Acquires BlackStone Discovery

According to John P. Kelly, CEO and founder of BlackStone Discovery,...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on Cyber, Data, and Legal Discovery for August 2021

From the interplay of digital forensics in eDiscovery to collecting online...

Five Great Reads on Cyber, Data, and Legal Discovery for July 2021

From considerations for cyber insurance and malware to eDiscovery business confidence...

Five Great Reads on eDiscovery for June 2021

From remediating cyberattacks to eDiscovery pricing, the June 2021 edition of...

Five Great Reads on eDiscovery for May 2021

From cyber discovery and data breaches to business of law and...

More Keepers? Predictive Coding Technologies and Protocols Survey – Fall 2021 Results

From the most prevalent predictive coding platforms to the least commonly...

Glowing Expectations? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2021

In the summer of 2021, 63.3% of survey respondents felt that...

Issues Impacting eDiscovery Business Performance: A Summer 2021 Overview

In the summer of 2021, 24.4% of respondents viewed increasing types...

Looking Up? eDiscovery Operational Metrics in the Summer of 2021

In the summer of 2021, 80 eDiscovery Business Confidence Survey participants...