Luck of the Irish? Data Protection Commission of Ireland Publishes Annual Report

As shared by the Commissioner for Data Protection, Helen Dixon, “The progress the DPC has made in 2020 provides a solid platform on which to build across our enforcement and complaint-handling functions in particular. The GDPR must be understood as a project for the now, but equally for the longer-term. The DPC intends to continue as a leader in its full implementation.”

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Content Assessment: Luck of the Irish? Data Protection Commission of Ireland Publishes Annual Report

Information - 95%
Insight - 95%
Relevance - 90%
Objectivity - 95%
Authority - 100%

95%

Excellent

A short percentage-based assessment of the qualitative benefit of the post highlighting the February 2021 published annual report for 2020 by the Data Protection Commission (DPC) Ireland.

Editor’s Note: The Data Protection Commission (DPC) is the Irish supervisory authority for the General Data Protection Regulation (GDPR). It also has functions and powers related to other critical regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive. Recently the Commissioner for Data Protection, Helen Dixon, launched the Irish Data Protection Commission’s Annual Report for 2020. In this recently published report (February 25, 2021), DPC Ireland details the extensive span of regulatory work completed during its discharge of duties in the role of overseeing and regulating the application of EU data protection and e-privacy laws. As part of that detailing of work, the DPC shares details about breach notifications to the DPC during 2020. As data and legal professionals operating in the eDiscovery ecosystem seek to understand the market impact and opportunities driven by data breaches, they may benefit from the details and data points shared in this important annual report.

DPC Ireland 2020 Annual Report*

An Extract on Breaches (Chapter 3)

The number of breach notifications to the DPC remained high in 2020 but the DPC is more convinced than ever of the value of the mandatory requirement to notify under the GDPR. It allows the DPC to gain insights into the risks around the security and processing of personal data arising in organisations on a case-by-case basis and to intervene and guide on mitigation measures around those risks, where appropriate. In general, the responses we receive from organisations encourage the DPC in the view that most organisations want to comply and value the input of the DPC.

Breaches Under the GDPR

In 2020, the DPC received, 6,783 data-breach notifications under Article 33 of the GDPR, of which, 110 cases (2%) were classified as non-breaches as they did not meet the definition of a personal-data breach as set out in Article 4(12) of the GDPR. A total of 6,673 valid data protection breaches were recorded by the DPC in 2020, representing an increase of 10% (604) on the numbers reported in 2019. 

As in other years, the highest category of data breaches notified under the GDPR were classified as Unauthorised Disclosures and accounted for 86% of the total data-breach notifications received in 2020. The majority of breaches occured in the:

  • Private Sector: 4,097
  • Public Sector: 2,559
  • Voluntary: 16
  • Charity: 1
  • Total: 6,673

The DPC also saw an increase in the use of social engineering and phishing attacks to gain access to the ICT systems of controllers and processors. While many organisations initially put in place effective ICT security measures, it is evident that organisations are not taking proactive steps to monitor and review these measures, or to train staff to ensure that they are aware of evolving threats. In these instances, we continue to recommend that organisations undertake periodic reviews of their ICT security measures and implement a comprehensive training plan for employees supported by refresher training and awareness programmes to mitigate the risks posed by an evolving threat landscape.

Data Breach Notifications by Category

  • Disclosure (Unauthorised): 5,837
  • Hacking: 146
  • Malware: 19
  • Phishing – Including Social Engineering: 74
  • Ransomware/Denial of Service: 32
  • Software Development Vulnerability: 5
  • Device Lost or Stolen (Encrypted): 19
  • Device Lost or Stolen (Unencrypted) 29
  • Paper Lost or Stolen: 275
  • E-Waste (Personal Data Present or Obsolete Device: 1
  • Inappropriate Disposal of Paper: 21
  • System Misconfiguration: 40
  • Unauthorised Access: 146
  • Unintended Online Publication: 61
  • Other: 78
  • Total: 6,783

E-Privacy Breaches 

The DPC received a total of 70 valid data-breach notifications under the e-Privacy Regulations (SI No. 336 of 2011), which accounted for just over 1% of total valid cases notified for the year. 

LED Breaches 

The DPC also received 25 breach notifications in relation to the LED, (Directive (EU) 2016/680), which has been transposed into Irish law by certain parts of the Data Protection Act 2018. 

DPC Assessment of a Breach 

Once a breach notification is lodged with the DPC, the DPC assesses it taking account of multiple aspects of the breach and the risks it poses. The first of these is the nature of the breach, including whether it was intentionally or accidentally caused, whether data was exfiltrated or made inaccessible, and the modes of technology and organisation involved. A history of breaches of a particular type may indicate a systemic issue affecting an individual data controller, a particular location or an entire economic sector. Characteristics of the personal data involved are central to the DPC’s assessment. These include the types, format and sensitivity of the personal data, the number of persons and records affected, and the potential for the data to be read or disseminated. The DPC will look at whether aspects such as profiling, automated decision making, monitoring or tracking has been taking place. 

Similarly, categorisation of the data subjects — such as whether they are children or vulnerable persons — and characteristics of the data controller and/or processor, such as statutory responsibilities or processing of other types of personal data, can be highly significant. The volume of data subjects and the location of these data subjects is taken into account. 

Other factors to be considered are the potential harms to data subjects resulting from disclosure, misuse or loss of personal data affected by the breach. This aspect of risk assessment is often overlooked by data controllers. Harms can range from temporary inconvenience to very serious risks, such as identity theft, financial loss, and misdiagnosis of medical conditions or reputational damage. The DPC will consider what the impact to the affected individuals is, including the severity, scope and context of the persons. 

Finally, the DPC assesses mitigating factors, such as whether backups are available, vulnerabilities are addressed, and whether the data is retrieved or further disclosure prevented. Often data controllers do not implement simple measures such as encryption of information shared via email, ensuring that all IT security measures are in place but also kept regularly updated. These factors are taken into consideration in the assessment. 

If the facts are not fully known or remain unclear after the DPC’s initial assessment of a breach, they will continue to engage with the controller until such time as all matters have been responded to, to the satisfaction of the DPC. In some cases, the controller or processor may be asked to reassess the causes and consequences of the breach and report on its findings. Breaches involving complex IT issues may require assessment and analysis by the DPC’s technical specialists. In cases where the controller has either produced or commissioned a technical report or investigation report on the breach, a copy of this will be requested.

Pending completion of its investigation, the DPC may direct and monitor progress — on a rolling basis — of measures implemented to remedy or mitigate the effects of the breach. These could include informing data subjects of the breach under Article 34 of the GDPR, or the implementation of technical or organisational measures to address vulnerabilities. 

Based on its assessment and on the controller’s actions to prevent or mitigate against further similar incidents, the DPC may conclude its investigation at this point. If the DPC is not satisfied with the mitigations or responses from the controller, it can escalate the matter for further investigative/enforcement action.

Review the Complete Report (PDF)

DPC 2020 Annual Report (English)

Read the original post via the Data Protection Commission (DPC Ireland) website.

Copyrighted information note shared by permission according to the Re-use of Public Section Information

Additional Reading

Source: ComplexDiscovery

Research and Publishing Support for ComplexDiscovery

The publication, ComplexDiscovery, launched in early 2010, continues to expand in the breadth and depth of its industry coverage. As our industry readership and content leadership have grown, our research and publishing costs have also continued to grow. With our growth and the related costs of supporting our growth in mind, ComplexDiscovery kindly asks you to support our research and publication efforts by becoming a member of the ComplexDiscovery community.

We offer three levels of membership to those interested in supporting our efforts. All memberships are available on a monthly or annual basis through Steady, our European-founded platform for independent publishers. Feel free to chose your membership level today to support our continued independent publishing of content ranging from carefully selected and highly curated public domain content to independent research and reports. From quarterly business confidence surveys to annual market sizing reports, support our efforts today with your contribution.

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

SPAC Attack? Cellebrite Moves Toward Becoming a Public Company

According to Adam Clammer, Chief Executive Officer of TWC Tech Holdings,...

Cobra Legal Solutions Receives Investment from Blue Sage Capital

According to Eric Weiner, Partner at Blue Sage, “We are excited...

eDiscovery Mergers, Acquisitions, and Investments in Q1 2021

From Relativity and Reveal to Compliance (System One) and Veristar, the...

Cyber Risk and Reward? Kroll Acquires Redscan

According to Redscan CEO, Mike Fenton, “Merging Redscan’s innovative culture and...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on eDiscovery for March 2021

From data breach economics and vulnerabilities to private-equity investments and vendor...

Five Great Reads on eDiscovery for February 2021

From litigation trends and legal tech investing to facial recognition and...

Five Great Reads on eDiscovery for January 2021

From eDiscovery business confidence and operational metrics to merger and acquisition...

Five Great Reads on eDiscovery for December 2020

May the peace and joy of the holiday season be with...

Cobra Legal Solutions Receives Investment from Blue Sage Capital

According to Eric Weiner, Partner at Blue Sage, “We are excited...

Corporation Z? Zapproved Releases of ZDiscovery Platform

According to the announcement, Monica Enand, Zapproved Founder and CEO, shared,...

Head in the Clouds? CloudNine Releases Review Updates

According to Tony Caputo, CEO of CloudNine, “CloudNine is 100% dedicated...

Threading the Needle? Epiq Launches Unified Digital Client Experience

According to the announcement, Epiq Access is available globally and provides...

A Warming Optimism? Spring 2021 eDiscovery Business Confidence Survey

The eDiscovery Business Confidence Survey is a nonscientific quarterly survey designed...

Cold Weather Catch? Predictive Coding Technologies and Protocols Survey – Spring 2021 Results

The Predictive Coding Technologies and Protocols Survey is a non-scientific semi-annual...

Out of the Woods? Eighteen Observations on eDiscovery Business Confidence in the Winter of 2021

In the winter of 2021, 85.0% of eDiscovery Business Confidence Survey...

Issues Impacting eDiscovery Business Performance: A Winter 2021 Overview

In the winter of 2021, 43.3% of respondents viewed budgetary constraints...