This week, the Data Protection Commission (DPC) published its Annual Report for the period 25 May – 31 December 2018. The DPC confirmed significant increases during the latter half of 2018, most notably in the number of complaints received (56% increase) and the volume of data security breaches reported (70% increase).

• In the second half of 2018, 2,864 complaints were received. In total, 4,113 complaints were received during 2018 representing a 56% increase on the total number of complaints received in 2017.
• Access rights once again made up the largest category of complaints at 977. While most complaints continue to be amicably resolved, the DPC did issue a total of 18 formal decisions.
• The DPC was notified of a total of 3,542 valid data security breaches, 38 of which related to just 11 multinational technology companies.
• The DPC received 136 cross-border processing complaints through the new One-Stop-Shop mechanism that were lodged by individuals with other EU data protection authorities.
• The Special Investigations Unit (SIU) opened 31 inquiries into the surveillance of citizens for law-enforcement purposes, the inquiries focus on the use of new technology such as CCTV, body-worn cameras, automatic number plate recognition enabled systems, and drones.
• 15 investigations were commenced in relation to the compliance of multinational technology companies with the GDPR.
• The DPC investigated 32 new complaints under the ePrivacy Regulations, in respect of various forms of electronic direct marketing, the majority of which related to email marketing. A number of these investigations concluded with successful District Court prosecutions by the DPC.
• 900 Data Protection Officer notifications were received which the DPC noted as a promising development, suggesting that the response of industry, public and private sectors has been strong, which the Commission views as essential to “embedding effective data protection practices in …. organisations and driving real improvements in standards of data protection and security”. 
• In line with the regulator’s increased work load, staffing numbers within the DPC also increased from 85 at the end of 2017 to a total of 110 by the end of 2018.

The DPC also noted an increase in the use of social engineering and phishing attacks to gain access to the ICT systems of businesses. Noting that while many organisations initially put in place effective ICT security measures, there remains an issue around the review and monitoring of the measures initially implemented. The DPC reiterated the need for organisations to undertake periodic reviews of their security measures and implement comprehensive training plans for employees to include refresher training, with an emphasis on awareness programmes aimed at mitigating the risks posed by an ever-evolving threat. 

The DPC notes that both the complexity of the queries and complaints received have increased post-GDPR, suggesting an increased awareness among the public of the GDPR and data protection issues in general. 

For further information, please contact John Magee or your usual William Fry contact.

Follow us on Twitter @WFIDEA; @WilliamFryLaw