Surge in number of data breaches reported to Commission in 2018
The number of data breaches reported to the Data Protection Commission soared by 70% last year, as new data protection rules were introduced across Europe.
In total, the watchdog was notified of 4,740 breaches during 2018, with 3,542 of those lodged in the seven months after the General Data Protection Regulation came into force in May.
The volume of complaints made to the regulator also jumped by over 50% last year to 4,113, with 2,864 of those coming after the GDPR’s commencement on 25 May.
The largest number of these complaints related to the right of access to personal data held by others, with unfair processing of data and disclosure among the other biggest categories.
“The rise in the number of complaints and queries demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data,” said Data Protection Commissioner Helen Dixon.
The figures are contained in the first annual report of the organisation since it changed from being the Office of the Data Protection Commissioner to the DPC in the middle of last year.
The body also opened 15 statutory investigations between May and December last year into issues around whether large technology multinationals were compliant with GDPR.
Seven of those are focused on Facebook alone, with two looking at its sister company WhatsApp and one examining an issue with Instagram, which is also owned by the social networking giant.
Twitter and Apple are also the subject of two ongoing inquiries each, while LinkedIn is the focus of one.
“All these inquiries should reach the decision and adjudication stage later this year, and it’s our intention that the analysis and conclusions in the context of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services,” Ms Dixon said in her report.
GDPR also introduced a one-stop-shop mechanism to allow companies operating in multiple EU countries to be overseen by a single regulator in just one.
Over the period examined by the annual report, 136 cross-border processing complaints were received by the DPC using this new system of governance.
GDPR also made it mandatory for organisations here to report data breaches to the DPC and this change is reflected in the surge of cases notified to the authority in the second half of the year.
“While it would be an ideal world if there were fewer, the DPC’s experience generally is that most organisations engage with the DPC and accept our guidance around mitigating losses for affected individuals, communicating any high risks to them and learning lessons from the breach to avoid a repeat,” Ms Dixon wrote in the report.
The DPC also initiated 31 inquiries itself under the Data Protection Act 2018 into the surveillance of citizens by the State sector for law enforcement purposes in public spaces.
These probes will examine a range of technologies, including body-warn cameras, drones, CCTV and systems that use automatic number-plate recognition (ANPR).
The first module is focusing on the 31 local authorities and the second will look at An Garda Síochána, with more to follow.
A special investigation into the State’s Public Services Card also continued during the period.
Electronic direct marketing continues to be a problem area for many people, according to the report, with 32 new complaints investigated over the course of the seven months.
The biggest culprit was email marketing, accounting for 18 of these complaints, followed by SMS marketing (11) and telephone marketing (3).
However, a number of these inquiries led to charges being brought under the E-Privacy Regulations, with five successful prosecutions for a total of 30 offences secured in the District Court.
The DPC also handled 48 data-breach complaints from affected data subjects during the period, with most cases concerning the personal data of an individual being issued to another third party in error.
The number of cyber security compromises notified also rose again last year, with the number of notifications increasing sharply from 49 cases in 2017 to 225 in 2018.
Cases included phishing, malware and ransomware attacks with an increase in the use of social engineering and phishing attacks to gain access to the ICT systems of controllers and processors also recorded.
“It is notable that many of the data breaches notified to the DPC involving a risk to financial data resulted from compromised or stolen credentials,” the report said.
“In relation to the public-sector breaches notified to the DPC, it is of particular concern that a large number involved special categories of personal data or data relating to criminal convictions or offences.”
The report also outlines how late last year a project began to examine the processing of children’s person data and their rights as data subjects under GDPR, with a public consultation on the issue open until tomorrow.
Staff numbers at the DPC continued to grow alongside the workload between May and December, with 135 now employed at the commission and 30 more set to join this year.
Funding for the DPC has risen from €1.7 million in 2013 to €11.6 million in 2018.
“Although we are still in the stage of having to bust some myths and misunderstandings that have built up around the GDPR, we feel very optimistic about the improvements we will see in Ireland in personal-data-handling practices over the next few years,” Ms Dixon said.
Article Source: http://tinyurl.com/kbwqb42