Summary of Ireland’s Data Protection Commission Annual Report
The Irish Data Protection Commission (DPC) issued a report on its activities between May 25, 2018, the commencement date for enforcement of the General Data Protection Regulation (GDPR), and the end of the year.
Here are some of the statistics included in the annual report:
1,000+ Data Protection Officers have been appointed by organizations and notified Ireland.
4,000 notifications of data breaches by organizations.
3,687 data breach notifications under Article 33 of GDPR were received.
1,928 GDPR complaints were made under GDPR.
38 Personal Data Breach notifications under GDPR from 11 multinational technology companies.
15 statutory inquiries (investigations) into multinational technology companies concerning GDPR compliance.
30 staff added last year – 20 more were added in January and anticipates another 30 by the end of the year.
(scroll down for more information about the annual report below the photo)
Multinational Technology Companies Statutory Inquiries
DPC opened inquiries into data processing at Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram. DPC indicated these inquiries should reach decision and adjudication stage later this year. Goal is for the analysis and conclusions to provide precedents for better implementation across the internet and adtech. The DPC acknowledge that there are privacy risks in other sectors but “initial complaints and breaches have focused the DPC in this area and warrant attention in light of the hundreds of millions of users implicated.”
Facebook & Subsidiaries:
– Right of Access and Data Portability
– Lawful Basis
– Lawful Basis – WhatsApp
– Lawful Basis – Instagram
– Lawful Basis for behavioral analysis and targeted advertising
– Cybersecurity (Ireland & Parent)
– Breach Notification (Both Token Breach & a separate investigation)
Twitter:
– Right of Access
– Cybersecurity
Apple:
– Lawful Basis for behavioral analysis and targeted advertising
– Transparency
LinkedIn:
– Lawful Basis for behavioral analysis and targeted advertising
Update on Codes of Conduct under Article 40
“[T]hese should be approved and published by the EDPB in Q1 of 2019. The DPC looks foorward to industry embracing Codes of Conduct and raising the bar in individual sectors in terms of standards of data protection and transparency. Codes of Conduct are important because they will be more comprehensively reflect the context and reality of data processing activities in a given sector and provide clarity to those who sign up to the standards that need to be attained in addition to external monitoring by and independent body.”
The Irish DPC has a consultation open to submissions on processing of children’s data. The DPC is going to put together best practice guidance when the consultation closes and then look at industry sectors for a Code of Conduct.
2018 Strategic Objectives of DPC
1. Develop capacity and capabilities under the new GDPR, Law Enforcement Directive and ePrivacy Regulation.
2. Collaborate with EU and DPA counterparts, and regulatory bodies in other sectors.
3. Drive data protection awareness and compliance.
4. Ensure effective oversight and enforcement.
The DPC is developing a five-year regulatory strategy that will include extensive external consultation during 2019.
Compliant Breakdown Under GDPR
Categories of complaints containing more than 10% of the overall number:
Access Rights – 30%
Multinational Complaints – Others – 22%
Unfair Processing of Data – 15%
Disclosure – 11%
Other Relevant Posts:
Dutch DPA Issues Privacy Policy Recommendations Following Review of Organizations Processing Special Data
Consent Required by Danish DPA for Customer Service Call Recording under GDPR
EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Third-Party Data Sharing In Focus Again with Finland DPA Investigation
Dutch DPA Issues Policy on GDPR Fines
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
Dutch DPA Says No Cookie Walls Because of GDPR Consent
EU Issues Third Proposal of ePrivacy Regulation Changes in February
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent
More Resources:
Check out the guide Clarip has written on the California Consumer Privacy Act and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.