Matheson Reviews the Irish Data Protection...

Introduction

On 25 February 2021, the Data Protection Commission (the “DPC”) published its Annual Report 2020 (the “Report”), detailing its 2020 activities in monitoring, educating, and regulating the application of data protection as well as e-privacy laws in Ireland. 

Key focus areas for the DPC in 2020 included breach notifications, enforcement, international data transfers (including an increase in Binding Corporate Rules applications) and increased focus on the lead supervisory authority regulatory mechanism. 

One interesting development for 2020 was that of the marked increase in personal data security breaches which, as highlighted in the Report, was up 10% from the year 2019. 

Breach Notifications – 2020 In Numbers

• The DPC recorded a 10% increase in personal data security breaches against the previous year. 
• A total of 6,673 breaches were notified to the DPC. The most frequent of these was the unauthorised disclosure which accounted for 86% of the notifications. 
• 90% of the aforementioned recorded breach cases were concluded in 2020, a total of 5,932 cases. 
• 4,097 of the 6,673 breaches notified to the DPC occurred in the private sector. 
• 70 valid data breach notifications were made to the DPC under the e-Privacy Regulations (S.I. No. 336 of 2011), which accounted for just over 1% of total valid cases notified for the year. 
• 25 breach notifications were also received by the DPC in relation to the Law Enforcement Directive (Directive (EU) 2016/680), which has been transposed into Irish law by certain parts of the Data Protection Act 2018. 

Current Breach Trends

The DPC noted an increase in the use of social engineering and phishing attacks to gain access to ICT systems of controllers and processors. While the DPC acknowledges that effective ICT security measures may have been initially put in place by many organisations, this increase means that organisations are not engaging with proactive steps to monitor and review those measures, or to train staff and keep them aware of evolving threats. 

In order to mitigate the risks posed by this emerging threat, the DPC recommends that organisations undertake periodic reviews of their ICT security measures and implement comprehensive training plans for employees, which should be supported by refresher training and awareness programmes. 

How is a Breach Assessed by the DPC?

Given the high number of breach notifications received by the DPC, it is helpful that the Report outlines the various factors that the DPC take into account when assessing a breach and the risks to data subjects that it may import. Specifically, the DPC assesses the following aspects: 

• the nature of the breach: this includes (i) whether it was intentionally or accidentally caused; (ii) whether data was exfiltrated or made inaccessible; and (iii) the modes of technology and organisation involved. Importantly, the DPC notes that a history of similar breaches can indicate a systemic issue for a controller (or a location or economic sector); 
• the characteristics of the personal data involved: the DPC noted that this is essential to the assessment of the breach. These include the types, format and sensitivity of the data; the number of persons and records affected; and the potential for the data to be read or disseminated. In addition, the DPC will consider whether profiling, automated decision making, monitoring or tracking has been taking place; 
• the categorisation of data subjects: this is of similar import the DPC’s assessment of the breach, in particular whether any children or vulnerable persons are involved; 
• the characteristics of the controller and / or processor: if the organisation is one which has any statutory responsibilities or if it is processing other types of personal data, this can be highly significant to the DPC’s assessment of the breach. The volume and location of data subjects is also taken into account; 

Considering the Impact of the Breach

Organisations should also have regard to the impact of the breach, an aspect of the risk assessment which the DPC notes is often overlooked. In this regard, the DPC will assess the potential harms to data subjects resulting from the disclosure, misuse or loss of personal data affected by the breach. 

What amounts to “harm” varies from case to case and may range from temporary inconvenience to serious risks to data subjects, such as identity theft, financial loss, misdiagnosis of medical conditions or reputational damage. The DPC will also consider how that harm impacts upon the individuals concerned, including the severity, scope and context of those persons. 

Another key aspect for organisations to consider is what mitigating factors they have in place to combat the severity of personal data breaches. The robustness of such measures, such as whether backups are available, vulnerabilities are addressed, and whether the data is retrieved or further disclosure prevented, will be interrogated by the DPC as part of their assessment. 

The Report warns of the risks inherent in failing to implement basic measures such as encryption of information shared via email and ensuring that all IT security measures are in place and regularly updated. These factors are all considered as part of the assessment and it is evident that failure in this regard will not be regarded favourably by the DPC. 

Engagement with the DPC

The Report makes it clear that organisations should expect continued engagement with the DPC in the event that the facts of the breach are not fully known or remain unclear following the initial assessment by the DPC of the breach. It is important to remember that such engagement will continue until the resolution of matters to the satisfaction of the DPC. 

Organisations should be prepared to reassess the causes and consequences of the breach and be able to report on its findings. In addition, particularly complex breaches may require assessment and analysis by the DPC’s technical experts. In cases where technical reports upon the breach have been commissioned or produced by organisations, these may be requested by the DPC. 

Organisations should also prepare for continued monitoring of progress by the DPC pending completion of any investigation, including direction and monitoring of any mitigating measures implemented by an organisation. Such measures may include informing data subjects of the breach under Article 34 of the GDPR or the implementation of technical or organisational measures to address vulnerabilities. 

Organisations should bear in mind that if the DPC is not satisfied with the organisation’s mitigation or responses, it may escalate the matter for further investigative / enforcement action. 

What Can We Learn from the Report?

The attention afforded to personal data breaches and relevant Case Studies should not be ignored by organisations. In particular, they provide a number of key takeaways, which are useful to both mitigating the risks of personal data breaches and follow-up enforcement action. These include: 

• undertaking a review of your existing ICT security measures to assess whether they are sufficient to withstand social engineering, ransomware and / or phishing attacks; 
• assessing whether the technical and organisational measures you currently have in place are sufficiently complex by reference to the personal data you hold. For example, if you process particularly sensitive data such as health or financial data, more sophisticated safeguards should be implemented to ensure its continued security; 
• ensuring that appropriate training sessions and supplementary materials are provided to staff on an ongoing basis. This may include, for example, procedures in respect of approved organisational communication tools and general GDPR-compliance training; 
• ensuring that an effective breach response plan is put in place and circulated to all staff members; 
• ensuring that the Article 28 GDPR data processing agreements that you have in place with your service providers are sufficient to implement the requirements of Article 28, specifically that the processor assists the controller in meeting its obligations for security of processing, and for reporting and responding to breaches; 
• being proactively prepared for engagement with the DPC by putting in place a log of actual or suspected personal data breaches, where all the relevant aspects of the breach are recorded in detail, together with the mitigating measures put in place to combat the potential harms; and 
• designating a point of contact (this may be an individual or a team) for engagement with the DPC. 

What Next

The DPC is confident that the progress it made in 2020 provides a solid platform from which to build in 2021. Indeed, funding for the DPC has continued to build year on year, with 2020 seeing an increase of €1.6 million on its 2019 budget. 

As well as continuing to monitor and enforce compliance with regard to cookies, up to seven “Big Tech” investigations are due to be finalised by the DPC in 2021, meaning that enforcement and corrective measures are likely to pick up speed in 2021. 

In relation to personal data breaches, the DPC has reasserted its belief in the value of the mandatory requirements to notify under the GDPR. This enables the DPC to gain valuable insights into the risks surrounding the security and processing of personal data which is arising in organisations on a case by case basis, thereby allowing them to intervene and provide helpful guidance on the mitigation of measures around those risks, where appropriate. 

Given the figures seen in the 2020 Report, it is likely that such intervention and guidance will become more commonplace, which is a welcome development for organisations committed to protecting data subjects against personal data breaches in as efficient and informed a manner as possible.

March 2021