Data Protection Commission of Ireland Publishes Annual Report: Data Privacy Trends

I’ve known about this for over a week, but it seemed appropriate to wait to cover it today for some reason.  Maybe the clue is in today’s graphic?  😉

2020 was the second full year of application of the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED). Here’s the annual report for 2020 by the Data Protection Commission (DPC) of Ireland in 2020, which details the extensive span of regulatory work completed by in the discharge of its wide-ranging role in overseeing and regulating the application of EU data protection and e-privacy laws.

As recently covered on Rob Robinson’s Complex Discovery blog, in this recently published report (February 25, 2021), DPC Ireland details the extensive span of regulatory work completed during its discharge of duties in the role of overseeing and regulating the application of EU data protection and e-privacy laws. As part of that detailing of work, the DPC shares details about breach notifications to the DPC during 2020.

Supporting Individuals

From 1 January 2020 to 31 December 2020:

  • The DPC received in excess of 23,200 electronic contacts, almost 10,000 phone calls and 2,000 postal contacts;
  • The DPC handled a total of 10,151 cases in 2020, up 9% on 2019 figures (9,337).
  • The DPC received 4,660 complaints from individuals under the GDPR;
  • Overall, the DPC concluded 4,476 complaints, including 1,660 complaints received prior to 2020;
  • Over 60% (2,186) of complaints lodged with the DPC in 2020 were concluded within the same calendar year; and
  • The DPC continued to reduce conclusion times for cases (average days taken to conclude a case has reduced by 53% since the GDPR came into application).

In 2020, the most frequent GDPR topics for queries and complaints continued to be: Access Requests; Fair-processing; Disclosure; Direct Marketing and Right to be Forgotten (delisting and/or removal requests).

Breaches Under the GDPR

In 2020, the DPC received, 6,783 data-breach notifications under Article 33 of the GDPR, of which, 110 cases (2%) were classified as non-breaches as they did not meet the definition of a personal-data breach as set out in Article 4(12) of the GDPR. A total of 6,673 valid data protection breaches were recorded by the DPC in 2020, representing an increase of 10% (604) on the numbers reported in 2019.

As in other years, the highest category of data breaches notified under the GDPR were classified as Unauthorised Disclosures and accounted for 86% of the total data-breach notifications received in 2020. The majority of breaches occurred in the:

  • Private Sector: 4,097
  • Public Sector: 2,559
  • Voluntary: 16
  • Charity: 1
  • Total: 6,673

The DPC also saw an increase in the use of social engineering and phishing attacks to gain access to the ICT systems of controllers and processors. While many organisations initially put in place effective ICT security measures, it is evident that organisations are not taking proactive steps to monitor and review these measures, or to train staff to ensure that they are aware of evolving threats. In these instances, we continue to recommend that organisations undertake periodic reviews of their ICT security measures and implement a comprehensive training plan for employees supported by refresher training and awareness programmes to mitigate the risks posed by an evolving threat landscape.

Data Breach Notifications by Category

  • Disclosure (Unauthorised): 5,837
  • Hacking: 146
  • Malware: 19
  • Phishing – Including Social Engineering: 74
  • Ransomware/Denial of Service: 32
  • Software Development Vulnerability: 5
  • Device Lost or Stolen (Encrypted): 19
  • Device Lost or Stolen (Unencrypted) 29
  • Paper Lost or Stolen: 275
  • E-Waste (Personal Data Present or Obsolete Device: 1
  • Inappropriate Disposal of Paper: 21
  • System Misconfiguration: 40
  • Unauthorised Access: 146
  • Unintended Online Publication: 61
  • Other: 78
  • Total: 6,783

Rob has much more coverage of the report, including discussion of the how the DPC assesses a breach.  The entire 98(!) page report is available here – you may have to pinch yourself to get through it!  But only if you’re not wearing green!  😉

Happy St. Patrick’s Day!

So, what do you think?  Are you surprised that the number of reported breaches grew only 10%?  I am.  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply