The Office of the Irish Data Protection Commissioner (DPC) today (April 11th) published its Annual Report for 2016. The Report sets out the responsibilities of the Office going forward and outlines notable findings, decisions and expectations associated with data protection compliance in Ireland at this important point in the evolution of this fascinating area of regulation. At 64 pages long, the Report offers an insight into the ethos of the DPC and gives Irish public and private sector organisations a good understanding of what is required of them to achieve compliance under existing legislation as well as with regard to the forthcoming General Data Protection Regulation (GDPR) and ePrivacy Regulation.
The responsibilities of the DPC are now more relevant than ever, owing to the location of technology multinationals; many of which have based their European headquarters in Ireland. To reflect this heightened status, the DPC is undergoing a rapid expansion in terms of staff and areas of expertise in order to adequately address the need for comprehensive regulatory oversight of data controller and processor activity. As the Report states, the GDPR, which enters into law on May 25th 2018, will significantly increase “the accountability and compliance obligations on organisations, while also providing for additional enumerated rights for individuals. This new legal framework will also form the basis for much greater cooperation between European data protection authorities. In particular, the DPC’s role under the DPR will become a central one in Europe as a lead supervisory authority for the regulation of many multinational companies that are established in Ireland.”
Among the notables from 2016 were:
- 33,229 queries
- 1,479 complaints investigated
- 26 ‘Right to be Forgotten’ complaints
- 59 formal decisions issued
- 2,224 valid data security breaches recorded
- 50 audits carried out
- 9 entities prosecuted for electronic marketing offences committed under the Data Protection Acts and ePrivacy Regulations
Another interesting element of the Report is confirmation that the DPC’s recently formed Special Investigations Unit has now finalised preparations to conduct an investigation into the hospitals sector during the coming months. This formal investigation will examine the processing of patient-related sensitive personal data in Irish hospitals and will “focus on the circulation and journey of patient files in order to identify whether there are any shortcomings in terms of meeting the requirements of the Data Protection Acts to keep personal data safe and secure and to have appropriate measures in place to prevent unauthorised access to or disclosure of personal data.”
It will be interesting to observe how effective this and other investigations that are conducted by this Unit, and indeed the DPC, will be in fostering a culture of compliance across various sectors within Ireland going forward. The DPC, while espousing progression in terms of capability and enforcement practices regarding compliance with legislation, still falls some way short in terms of prosecutions when compared to the UK Information Commissioner’s Office which brought over 100 prosecutions during 2016. Moreover, the ICO now appears to be actively pursuing prosecutions with the Office’s prosecution of eleven different charities making headlines last week.
Accordingly, thanks to the specificity of the GDPR, which provides for greater prosecutorial scope in the event of non-compliance with Data Protection Legislation, the DPC will also be expected to extend its reach and ‘ramp up’ prosecutions during the run up to, and subsequent to, the Regulation entering into law next year.