DPC receives over 1,100 reports of data breaches since start of GDPR rules

Rise appears to reflect more stringent reporting obligations under EU’s new data protection regime

 

More than 1,100 reports of data breaches involving people’s personal information have been received by the Data Protection Commission in the two months since a new EU legal regime came into force.

The 1,184 reports to the commission mean data breach reports are significantly up on the average of 230 reported each month in 2017.

However, the increase appears to be a reflection of more stringent reporting requirements under the EU General Data Protection Regulation, which came into force on May 25th.

The regulation introduces mandatory reporting of data breaches unless the breach is unlikely to result in a risk to the rights and freedoms of individuals, or data subjects.

Breaches must be reported “without undue delay” and, where feasible, not later than 72 hours after the data controller becomes aware of it.

Figures from the commission – formerly the office of the Data Protection Commissioner – reveal it has logged 1,184 data breach notifications since May 25th. It said that, of these, the regulation applied in 953 cases.

It has also logged 743 complaints, of which the regulation applied in 267 cases. The total number of complaints received by the office last year was 2,642, which was itself an increase of 79 per cent on 2016.

Volumes

A spokesman for the commission said it was receiving complaints and breach notifications that relate to issues that occurred both post and pre-GDPR and the pre-GDPR cases are therefore dealt with under the old legislation.

“By way of comparison, the Irish DPC received, on average, approximately 230 data breaches and 220 complaints per month last year (2017). As you can see there has been a significant increase in the volumes of both breaches and complaints to the DPC since May 25th,” he added.

In order of popularity, the most frequent GDPR complaint issues relate to processing involving the disclosure of personal data without a legal basis, access requests (where people seek information about data held on them), and unfair processing.

Up to July 23rd, the total number of data protection officers (DPOs) notified to the commission was 514, across a wide range of public and private sector organisations, it confirmed.

The regulation requires data controllers and data processors to designate a DPO where processing is being carried out by a public authority or body, or where the data processing operations require “regular and systematic monitoring of data subjects on a large scale”.

A DPO is also required when the core activities of the controller or processor consist of the processing on a large scale of “special categories” of data, or data regarding criminal convictions or offences. Special categories of data include health data, data involving racial or ethnic origin, data about political opinions and religious beliefs.

The spokesman said the DPO had “a central role to play in organisations in relation to driving compliance with GDPR”.

“The DPC’s awareness-raising activities will continue to underline for organisations their responsibilities in relation to the designation of a DPO. In addition, the DPC is keeping the DPO notifications under close review and will continue to engage with data controllers and processors to ensure that the requirements of GDPR are complied with in relation to the designation and role of DPOs,” the spokesman said.

In total, there are more than 100 so-called “one-stop shop” cases, or cross-border cases, registered in the system. These are cases under the new “consistency mechanism” in the GDPR, which requires cooperation between data protection authorities in the EU member states.

The commission said about 37 per cent of the cases assume Ireland is the lead supervisory authority, 13 per cent Germany and 11 per cent Luxembourg with other member states accounting for much smaller percentages of cases.