The Irish Data Protection Commission (DPC) dealt with thousands of data breach notifications in 2019, its first full year operating under GDPR.
But a puny 3.5 percent of the data breaches were the result of cybersecurity incidents, its annual report, published today, has revealed.
The vast majority blamed on “unauthorised disclosures” including “emails/letters to incorrect recipient”; “administrative processing errors”; “verbal disclosures”; “papers lost or stolen”; and “unauthorised access to personal data in the workplace”.
Here are the top five takeaways from the report.
1: Complaints on the Rise
The DPC received 7,215 complaints in 2019, out of these complaints 6,904 were related to GDPR. The remaining 311 were related to issues reported prior to GDPR and were handled by the commissioner under the previous Irish Data Protection Acts 1988 to 2003.
The majority of complaints that the DPC received pertained to access request issues which account for 29 percent of GDPR issues. Disclosure and data processing complaints made up 35 percent of the issues that people were reporting to the DPC.
Commissioner Helen Dixon commented that: “Disputes between employees and employers or former employers remain a significant theme of the complaints lodged with the DPC, with the battle often staged around a disputed access request.”
2: Breaches on the Rise
The DPC recorded 6,257 data-breach notifications in 2019, of these 6,069 were deemed to be valid data breaches.
These credible data breaches represent an increase of 71 percent when compared to the previous year. The top three sectors reporting breaches were the financial sector, insurance sector and the telecommunications industry.
The 71 percent rise in reports is understandable when you take into account the fact that under GDPR data controllers are legally obligated to notify the DPC about any personal data breaches.
As the commissioner notes that: “The default position for controllers is that all data breaches should be notified to the DPC, except for those where the controller has assessed the breach as being unlikely to present any risk to individuals and the controller can show why they reached this conclusion.”
3: Cyberattacks not the Problem
Interestingly out of the 6,257 data breach notifications dealt with by the DPC only 223 of them related to cybersecurity incidents. The majority (5,188) pertained to unauthorised disclosures, while only 108 were the result of a hack and 161 were due to phishing.
The report notes that: “The DPC has observed an increase in the number of repeat breaches of a similar nature by a large number of companies. This is most apparent in the financial sector, where the majority of breaches appear to be related to unauthorised disclosures.”
The DPC has identified five trends and issues that it encounters when it deals with breaches;
- Late notifications
- Difficulty in assessing risk ratings
- Failure to communicate the breach to individuals
- Repeat breach notifications
- Inadequate reporting.
4: Facebook Tops Statutory Inquiries Charts
In 2019 the DPC opened six statutory inquiries bringing the total number of multinational technology company statutory inquiries to 21. Out of these 21 inquires Facebook and its platforms WhatsApp and Instagram account for 11.
A DPC Inquiry is examining whether Facebook has complied with the obligation to have a legal basis to process personal data of individuals using the Facebook platform. While another is investigating the extent to which Facebook – acting as the data controller – can refuse to give a person their requested data if Facebook believes that the request is ‘manifestly unfounded or excessive.’
Because Facebook is headquarter in Ireland the Irish commissioner is the starting point for all EU data investigation and complaints into the social media giant.
As a result the French digital advocacy organisation – La Quadrature du Net – put in a complaint with the regulator which then started a “detailed examination of the processing operations underpinning the analysis of users’ behaviour/ activities (including profiling) on the Facebook platform and how that relates to the delivery of targeted advertisements to the user.”
5: Brexit
The DPC has spent significant resources on dealing with Brexit.
In the event of a no-deal and a lack of GDPR adoption by the UK, the rules around data transfer could be drastically changed as the UK would be considered a ‘third country’. This will greatly restrict the ability of businesses outside of the UK to transfer data into the country.
The DPC found that: “The main concern was that smaller companies who did not routinely transfer data to third countries could be in contravention of the GDPR if they continued to do so post-Brexit without applying the relevant safeguards to the transfer.”