Insights

We Dug in to the DPC’s Annual Report so You Don’t Have To

By Carey Lening

March 1, 2022

20min read

It’s been a busy few months in the world of data protection. Since our last Advisory Note, the DPC has been issuing fines and judgments in a number of cases including:

Limerick City and County Council – The CCC’s use of CCTV was unlawful, excessive, lacked legal basis for processing and failed to ensure that numerous technical and organisational measures were in place. The DPC imposed a €110,000 fine and a reprimand, and ordered the Limerick CCC to bring their programme into compliance within 90 days, or cease processing.
Department of Social Protection – Legal proceedings between the DPC and the toDSP regarding the use of the Public Services Card for identification was finally resolved in December. Public sector bodies no longer can compel any individual acquire a PSC as a precondition to the provision of access to public services.
The Teaching Council of Ireland – The DPC determined that the Council infringed Art. 5(1) and 32(1) of the GDPR by failing to ensure appropriate security controls. €60,000 fine, a reprimand and an order to bring their systems into compliance by 2 June 2022.
Facebook Draft Decision – Facebook received a revised draft decision from the DPC on 21 February 2022, which is likely to include a ban on all processing activity in the EU. The draft hasn’t been publicly released.

On Thursday, the DPC issued its annual report and five-year roadmap (2022-2027). The report, which clocks in at 124 pages, provides good insight into the DPC’s 2021 enforcement actions, workload, funding, and most importantly, their strategic direction for the next five years. Castlebridge’s Blessing Mutiro also looked at the DPC’s historical trends and guidance, to get further insight on how all of these pronouncements may play out in practice.

The Word from on High – The DPC 2021 Annual Report

As our fearless leader Daragh O’Brien is wont to say, the gloves appear to have come off at the Irish DPC. The Commissioner, Helen Dixon, ever-mindful of the criticisms lodged against the beleaguered agency, used the 2021 report to clarify the DPC’s progress to date (including complaints, inquiries, investigations, and cross-border actions) and where the commission plans to focus its future efforts. In 2021, the DPC received 10,888 queries and complaints from individuals (up 7% from 2020) and concluded 10,645. The vast majority of complaints concerned issues related to controllers’ handling of access and erasure requests, abiding by fair processing principles, unauthorized disclosures, and complaints regarding direct marketing:

The DPC also set out its five-year strategy. The Commission (which got a bit of a budget bump of €2.2M over last year’s budget for a total of €19.128M) has committed to prioritising:

Consistent and effective regulation
Safeguarding individuals and promoting data protection awareness, particularly the protection of children and other vulnerable groups
Bringing clarity to stakeholders
Supporting organizations and driving compliance

Going forward, the DPC signaled that it would be moving away from its hands-on approach with regard to data breaches, and shortening the period for amicable resolution. It plans to focus on those cases which warrant further investigation (e.g., repeated breaches or complaints against the same controller). (p 51)

The Regulator also noted that it would be moving to streamline the process from complaint –> inquiry –> resolution. When we look at the Data Protection Act 2018, we see a suggestion of what this might mean in practice.

Section 109(2) states that the if the Commission considers that there is a reasonable likelihood of the parties reaching an amicable resolution in a reasonable time, they will take steps they feel appropriate to facilitate such a resolution. The key question is what constitutes a “reasonable time” in this context?
Section 108(2)(b) requires the DPC to inform a complainant within three months from the date a complaint is received as to the progress or outcome of the complaint.

This would suggest that, within the constraints of their statutory authority, the DPC will be implementing a maximum 3 month window for Controllers and Data Subjects to resolve things amicably before an investigation is formally commenced.

This is consistent with the approach suggested by Castlebridge in our submission to the Oireachtas Justice Committee in 2020 (see page 41) and to the DPC’s Regulatory Strategy Consultation process.

Reading the Tea Leaves: What Do the DPC Priorities Mean in Practice?

The DPC has provided several decisions (many noted above) following infringements of the GDPR and the Data Protection Act 2018. These decisions reveal some common failures in compliance across the following general categories: People, Processes, Technology, & Governance.

People

Controllers and Processors need more than one-off training sessions on data protection. Training should be ongoing, continuous, and tailored to staff roles and their access to data. Records also need to be maintained to ensure that training has occurred, and that it’s sinking in. Staff must be trained on key processes and aspects of processing undertaken by their roles. Training should be practical and should consider common technical and organisational measures to protect data. For example:

Proper methods for encrypting documents (and the importance of doing so)
Safe and consistent disposal processes (particularly in the context of WFH)
The importance of not sharing personal information over insecure channels like SMS
Recordkeeping and accuracy.

In 2021, the DPC handled 187 complaints regarding data breaches, and 291 complaints regarding unauthorized disclosure of personal data. A reminder that the real risk to organisations is not the shadowy hacker, but your colleague putting the mailing list in the to: instead of the bcc: field.

Processes

Controllers and processors should conduct regular reviews and updates of their processes to ensure that technical and organisational measures are adequate and ensure the security and protection of personal data. This means reviewing records of processing activities (ROPAs), building in data protection impact assessments (DPIAs) before new products or services are launched, regular vendor and security reviews, and regular risk assessments.

Governance

Organisations also need clear and relevant polices in place that detail not only the how, but also the why, of their data processing activities. Inaccurate or inadequate policies in organisation aren’t generally worth the paper they’re written on. Policies must also include sufficient oversight, checks & balances to guarantee that staff are actually complying with the organisations’ higher goals.

Secondly, organisations must ensure that whenever they process personal data, they have good data management in place. Poor data management leads to inaccurate internal records that create risks to the fundamental rights and freedoms of data subjects.

Finally, organisations need to ensure that their change management processes include core ideas like testing, review, roll-back procedures and auditing. A formal approval procedure for the proposed change (before its implementation) should be standard practice, and testing should be documented.

How Castlebridge Can Help

The DPC’s new regulatory strategy and posture on enforcement means organisations need to invest in on-going training and skills development for staff across a range of areas, from basic data protection awareness to more detailed competency and capability development.

Castlebridge can provide training at a range of levels and in a variety of formats (self-directed e-learning, tutor supported learning, live instructor lead courses through our DataEducation.ie portal.