Irish organisations are failing on data protection resources
21 June 2016 | 0
Irish organisations are failing to deploy sufficient resources to manage data protection compliance.
This is one of the points raised by the data protection commissioner Helen Dixon in the office’s 2015 annual report.
Amid a turbulent year that saw the striking down of the Safe Harbour agreement, as well as the publication of the General Data Protection Regulation (GDPR) to come into force in 2018, the Office of the Data Protection Commissioner said that new and expanded resources at its disposal “have allowed the authority to deliver clear improvements in response times, both for data subjects who raise complaints and for organisations seeking guidance in terms of implementing projects with implications for data-privacy rights.”
“From what I have seen, little real attempt is made in some cases to interpret and apply the principles and to examine implementation,” Helen Dixon, DPC
However, Dixon said in her foreword, “What becomes clear from dealing with many organisations in Ireland is that they deploy little resource themselves to manage data protection compliance. Some organisations appear to struggle with the principles based nature of data protection legislation and suggest that it is difficult to correctly interpret and apply the principles in the specific scenarios with which they are dealing.”
‘Little real attempt’
“From what I have seen, little real attempt is made in some cases to interpret and apply the principles and to examine implementation from the perspective of affected data subjects. In other cases, organisations appear to not even be conscious that what they are proposing represents a significant interference with an individual’s data-privacy rights and view efficiency and cost-saving as automatically sufficient justifications for any action.”
Despite this disposition, Dixon remains clear on the role of the office.
“The DPC remains committed to its role of providing specific guidance. It is vitally important in improving privacy outcomes.”
This is no substitute, she warns, for adequate resources being assigned by organisations, and efforts made to fully understand obligations and requirements.
“The DPC does not have the resources to replace the requirement for organisations to procure their own expert advice and to build their own capability to manage and drive compliance.”
“It is helpful, therefore, that the forthcoming GDPR will bring an increased power of enforcement for data protection authorities, but, first and foremost, will explicitly put back onto organisations the clear obligation to properly organise themselves to ensure they are adequately protecting the individual’s fundamental right to data privacy and can demonstrate their accountability in this regard.”
The commissioner also raised a point regarding a perceived conflict between the role of the DPC in hearing complaints from individuals over potential data-privacy rights contraventions, and the Office’s role in providing guidance to organisations. The commissioner is unequivocal in her response.
“I believe no such conflict exists,” she asserts.
“Indeed, both roles are expressly prescribed in the EU legislation that underpins our functions, and, in fact, the GDPR will give greater emphasis to that consultation role, making it mandatory in certain cases. Additionally, while this Office and our European counterparts play an important role in advising the EU Commission on data protection matters, this does not bind us when it comes to examining a complaint from an individual. The provision of targeted guidance to organisations significantly improves privacy outcomes for individuals but never undermines the role of the Office in investigating a data protection complaint on its merits.”
Dixon said that this is particularly the case when dealing with some of the technology multinationals that have bases of operation here, which give “advance preview of the global service changes that these corporations intend to implement”.
“In many cases, this engagement is essential in protecting users’ data privacy,” said Dixon.
The commissioner cites the introduction by Facebook of updated advertising settings and controls, a revamped Privacy Check-up tool and updates to the ‘DYI’ tool as evidence of the success of this approach. Additionally, an updated interface for user settings and the introduction of an access tool on LinkedIn, she said, arose from an engagement in 2015.
“However, the DPC, as is the case for all data protection authorities in Europe and globally,” said Dixon, “is still small relative to the span of the supervisory role assigned to us under national and EU legislation. Essentially, data protection authorities are the supervisors of all entities – public and private – and now increasingly individuals, too, where they act as data controllers. Prioritisation is therefore essential.”
The commissioner argues that greater public debate and understanding of data privacy is also required.
“As society shapes the world we want to live in, data protection law must adapt and fit its safeguards around that shape. In many ways, the bigger questions that need to be grappled with centre around the kind of world we want to live in, where the boundaries between man and machine should lie, and the balancing of power and responsibility between individuals and organisations.
“The work the DPC engages in through the Global Privacy Enforcement Network, the Article 29 Working Party and the International Conference of Data Protection Commissioners allows us to participate in expert discussions focused towards delivering the best outcomes for today’s data subject, who is the subject of unprecedented personal-data collection, processing, tracking and profiling.”
To achieve that awareness, the commissioner spoke at more than 60 events across various industries in 2015, discussing not only the work of her office, but addressing the various requirements from organisations, data processors and consumers.
Busy enforcement year
The commissioner described 2015 as a “busy year” on the enforcement side, with direct-marketing offences to the fore, as they were in the previous report, resulting in a number of prosecutions of repeat offenders.
The Office has now established a Special Investigations Unit, led by an Assistant Commissioner to carry out investigations on its own initiative, as distinct from complaints‑based investigations.
This is all possible through higher levels of government support, said the report, as characterised by initiatives such as the Government Data Forum, chaired by the Minister of State with special responsibility for data protection, Dara Murphy, TD.
The office dealt with 14,427 queries via a dedicated information email address, an increase from 13,500 in 2014 and 12,000 in 2013. In addition, 16,173 queries received by phone and 855 further queries by post were also dealt with.
Some 932 received complaints, were opened for investigation, compared with 960 in 2014.
The report said that the largest single category of complaints related to data access rights, accounting for more than 60% of the total, “reflecting the extent of the difficulties some individuals experience exercising their statutory right of access”.
The commissioner said the Office plans to conduct an awareness campaign highlighting these issues during 2016.
The second-largest category of complaint concerned electronic direct marketing. While the majority of complaints were resolved amicably, said the report, formal decisions were made in 52 cases, 43 of which fully upheld the complaint.
The DPC received 2,376 data-security-breach notifications, an increase of 112 on the previous year, and carried out 51 audits and inspections including those on major holders of personal data in the public and private sectors.
Of the 2,376 data-breach notifications received, 59 (2.5%) were classified as non-breaches under the provisions of the Personal Data Security Breach Code of Practice (PDSBCP). A total of 2,317 valid data-security breaches were recorded during the period 1 January–31 December 2015, representing an increase of 5.9% (129) on 2014 (2,188).
The report goes on to highlight the changing breach notification regulations as part of the upcoming GDPR.
“Under Statutory Instrument 336 of 2011, only telecommunications and internet service providers currently have a legal obligation to notify this Office of a data security breach. However, Articles 33 and 34 of the GDPR, which is due to come into effect in 2018, will legally oblige all data controllers to notify this Office of any personal-data security breach that occurs.”
“Article 33(1) of the GDPR states that ‘the controller will without undue delay and, where feasible, not later than 72 hours after becoming aware of it, notify the personal data breach to the supervisory authority […] unless the personal data breach is unlikely to result in a risk to the rights and freedom of natural persons’. It further states that, where the notification is not made within 72 hours, the data controller must provide reasons for the delay in reporting.”