Content Assessment: Luck of the Irish? Data Protection Commission of Ireland Publishes Annual Report
Information - 95%
Insight - 95%
Relevance - 90%
Objectivity - 95%
Authority - 100%
A short percentage-based assessment of the qualitative benefit of the post highlighting the February 2021 published annual report for 2020 by the Data Protection Commission (DPC) Ireland.
Editor’s Note: The Data Protection Commission (DPC) is the Irish supervisory authority for the General Data Protection Regulation (GDPR). It also has functions and powers related to other critical regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive. Recently the Commissioner for Data Protection, Helen Dixon, launched the Irish Data Protection Commission’s Annual Report for 2020. In this recently published report (February 25, 2021), DPC Ireland details the extensive span of regulatory work completed during its discharge of duties in the role of overseeing and regulating the application of EU data protection and e-privacy laws. As part of that detailing of work, the DPC shares details about breach notifications to the DPC during 2020. As data and legal professionals operating in the eDiscovery ecosystem seek to understand the market impact and opportunities driven by data breaches, they may benefit from the details and data points shared in this important annual report.
DPC Ireland 2020 Annual Report*
An Extract on Breaches (Chapter 3)
The number of breach notifications to the DPC remained high in 2020 but the DPC is more convinced than ever of the value of the mandatory requirement to notify under the GDPR. It allows the DPC to gain insights into the risks around the security and processing of personal data arising in organisations on a case-by-case basis and to intervene and guide on mitigation measures around those risks, where appropriate. In general, the responses we receive from organisations encourage the DPC in the view that most organisations want to comply and value the input of the DPC.
Breaches Under the GDPR
In 2020, the DPC received, 6,783 data-breach notifications under Article 33 of the GDPR, of which, 110 cases (2%) were classified as non-breaches as they did not meet the definition of a personal-data breach as set out in Article 4(12) of the GDPR. A total of 6,673 valid data protection breaches were recorded by the DPC in 2020, representing an increase of 10% (604) on the numbers reported in 2019.
As in other years, the highest category of data breaches notified under the GDPR were classified as Unauthorised Disclosures and accounted for 86% of the total data-breach notifications received in 2020. The majority of breaches occured in the:
- Private Sector: 4,097
- Public Sector: 2,559
- Voluntary: 16
- Charity: 1
- Total: 6,673
The DPC also saw an increase in the use of social engineering and phishing attacks to gain access to the ICT systems of controllers and processors. While many organisations initially put in place effective ICT security measures, it is evident that organisations are not taking proactive steps to monitor and review these measures, or to train staff to ensure that they are aware of evolving threats. In these instances, we continue to recommend that organisations undertake periodic reviews of their ICT security measures and implement a comprehensive training plan for employees supported by refresher training and awareness programmes to mitigate the risks posed by an evolving threat landscape.
Data Breach Notifications by Category
- Disclosure (Unauthorised): 5,837
- Hacking: 146
- Malware: 19
- Phishing – Including Social Engineering: 74
- Ransomware/Denial of Service: 32
- Software Development Vulnerability: 5
- Device Lost or Stolen (Encrypted): 19
- Device Lost or Stolen (Unencrypted) 29
- Paper Lost or Stolen: 275
- E-Waste (Personal Data Present or Obsolete Device: 1
- Inappropriate Disposal of Paper: 21
- System Misconfiguration: 40
- Unauthorised Access: 146
- Unintended Online Publication: 61
- Other: 78
- Total: 6,783
The DPC received a total of 70 valid data-breach notifications under the e-Privacy Regulations (SI No. 336 of 2011), which accounted for just over 1% of total valid cases notified for the year.
The DPC also received 25 breach notifications in relation to the LED, (Directive (EU) 2016/680), which has been transposed into Irish law by certain parts of the Data Protection Act 2018.
DPC Assessment of a Breach
Once a breach notification is lodged with the DPC, the DPC assesses it taking account of multiple aspects of the breach and the risks it poses. The first of these is the nature of the breach, including whether it was intentionally or accidentally caused, whether data was exfiltrated or made inaccessible, and the modes of technology and organisation involved. A history of breaches of a particular type may indicate a systemic issue affecting an individual data controller, a particular location or an entire economic sector. Characteristics of the personal data involved are central to the DPC’s assessment. These include the types, format and sensitivity of the personal data, the number of persons and records affected, and the potential for the data to be read or disseminated. The DPC will look at whether aspects such as profiling, automated decision making, monitoring or tracking has been taking place.
Similarly, categorisation of the data subjects — such as whether they are children or vulnerable persons — and characteristics of the data controller and/or processor, such as statutory responsibilities or processing of other types of personal data, can be highly significant. The volume of data subjects and the location of these data subjects is taken into account.
Other factors to be considered are the potential harms to data subjects resulting from disclosure, misuse or loss of personal data affected by the breach. This aspect of risk assessment is often overlooked by data controllers. Harms can range from temporary inconvenience to very serious risks, such as identity theft, financial loss, and misdiagnosis of medical conditions or reputational damage. The DPC will consider what the impact to the affected individuals is, including the severity, scope and context of the persons.
Finally, the DPC assesses mitigating factors, such as whether backups are available, vulnerabilities are addressed, and whether the data is retrieved or further disclosure prevented. Often data controllers do not implement simple measures such as encryption of information shared via email, ensuring that all IT security measures are in place but also kept regularly updated. These factors are taken into consideration in the assessment.
If the facts are not fully known or remain unclear after the DPC’s initial assessment of a breach, they will continue to engage with the controller until such time as all matters have been responded to, to the satisfaction of the DPC. In some cases, the controller or processor may be asked to reassess the causes and consequences of the breach and report on its findings. Breaches involving complex IT issues may require assessment and analysis by the DPC’s technical specialists. In cases where the controller has either produced or commissioned a technical report or investigation report on the breach, a copy of this will be requested.
Pending completion of its investigation, the DPC may direct and monitor progress — on a rolling basis — of measures implemented to remedy or mitigate the effects of the breach. These could include informing data subjects of the breach under Article 34 of the GDPR, or the implementation of technical or organisational measures to address vulnerabilities.
Based on its assessment and on the controller’s actions to prevent or mitigate against further similar incidents, the DPC may conclude its investigation at this point. If the DPC is not satisfied with the mitigations or responses from the controller, it can escalate the matter for further investigative/enforcement action.DPC 2020 Annual Report (English)
* Copyrighted information note shared by permission according to the Re-use of Public Section Information
- The Data Protection Commission (DPC) Ireland
- An Irish Update: DPC Ireland Publishes GDPR Regulatory Activity Report (2018-2020)