Irish Data Protection Commissioner Releases 2016 Annual Report
On April 11, 2017, the Data Protection Commissioner of Ireland (DPC) published her annual report for 2016, highlighting key developments and activities for the past year and outlining priorities for 2017 and beyond. The report will be of interest to Irish entities and multinational organizations with a base in Ireland, including companies active in the technology and healthcare sectors.
In 2016, the DPC investigated a record number of complaints (1,479 in total, the majority involving data access requests); received 2,224 notifications of valid data security breaches (a decrease from 2015); carried out over 50 privacy audits and inspections; acted as lead reviewer in seven Binding Corporate Rules (BCR) applications; and held over 100 face-to-face meetings with multinational companies.
Here are the key highlights of the DPC’s 2016 annual report:
Special Investigations. The DPC’s Special Investigations Unit finalized preparations for a new 2017 investigation into the hospitals sector that will examine the processing of sensitive personal data in areas of Irish hospitals with patient and public access. The investigations will involve physical inspections and will span across HSE facilities, private hospitals, and voluntary hospitals.
Data Breach Notifications. The majority of data breaches reported in 2016 concerned unauthorized disclosures in the financial sector. Other categories of breaches recorded by the DPC in 2016 included theft of IT equipment, website security, and security-related issues.
Multinationals and Technology. A Multinationals and Technology team was established to coordinate all regulatory activities relating to the cross-border processing of personal data by multinationals. Data controllers’ lack of awareness of data protection obligations, over-reliance on only one type of security measure, and human error were identified as the common issues in technology-related complaints. In engaging with technology multinationals, the DPC also emphasized the importance of “privacy by design” practices through the lifecycle of a product.
Privacy Audits. In 2016, the DPC carried out audits of state and private-sector entities to check for compliance with the Data Protection Acts. The key conclusion of the DPC’s audits was that “while high-level policies on data governance have been put in place, these have not filtered down sufficiently to an operational level.”
Enforcement and Litigation. The DPC prosecuted nine entities for electronic marketing offences under the ePrivacy Regulations in 2016; prosecuted an individual, a company and the company’s director under the Data Protection Acts; and issued two enforcement notices. The DPC also started proceedings in the Irish High Court seeking a reference for a preliminary ruling to the Court of Justice of the EU in relation to the validity of Standard Contractual Clauses. The hearing took place in February and March 2017, and the High Court’s judgment is expected (although a date has not been announced yet).
General Data Protection Regulation (GDPR). This is a key priority for the DPC and “the next 12 months are all about GDPR.” Organizations should look out for further GDPR guidance from the DPC in the course of 2017.
Denitsa Marinova is the author of this article.