The Data Protection Commission’s Annual Report for 2021
Reading time: 5min
Introduction
The Data Protection Commission (“DPC”) recently published its 2021 Annual Report (the “Report”), marking the end of the third full calendar year of the General Data Protection Regulation (“GDPR”).
Regulatory Strategy 2022-2027 (the “Strategy)
The Strategy was adopted in December 2021, following consultation with the public and stakeholders and a consideration of emerging academic theories in relation to effective regulation and behavioural economics. The Strategy sets out the DPC’s roadmap for what it believes will be five crucial years in the evolution of data protection law regulation and culture. The strategy is based upon five inter-connecting pillars of equal priority:
- Regulate consistently and effectively
- Safeguard Individuals and promote data protection awareness
- Prioritise the protection of children and other vulnerable groups
- Bring clarity to stakeholders
- Support organisations and drive compliance
With this in mind, the DPC has created the agenda of regulatory priorities which will achieve the overall objective ‘to do more, for more’.
Complaints made to the DPC
The Report contains the usual overview of complaints made to the DPC during 2021. A total of 3,419 complaints were made to the DPC. This represents a decrease in the overall amount of complaints made to the DPC in both 2019 and 2020.
The Report details that 52% of all complaints lodged in 2021 were dealt with within the year. In total, 3,564 complaints, including 1,884 complaints received prior to 2021, were concluded.
As has been the trend in recent years, the majority of complaints received by the DPC related to denied access to records. The Report sets out the top five categories of complaints received under GDPR, as shown here:
Type of Complaint | Number of Complaints | Percentage of Complaints |
Access Request | 1,232 | 42% |
Fair Processing | 560 | 19% |
Disclosure | 291 | 10% |
Right to Erasure | 263 | 9% |
Direct Marketing | 128 | 4% |
The Report notes a number of common issues which arise in the investigation of complaints in relation to access requests which would be prudent for data controllers to note:
- The data controller failed to acknowledge an access request,
- The data controller failed to perform an adequate search for the personal data,
- The data controller failed to advise the individual they were withholding data or the exemption they relied upon for same, or
- The data controller failed to issue a response within the required timeframe.
Under s.109(2) of the Data Protection Act 2018, the DPC is permitted, in circumstances where there is a reasonable likelihood of the parties to a complaint reaching an amicable resolution, to take such steps as it considers appropriate to arrange or facilitate such an amicable resolution. The DPC has, for the first time, provided details of complaints concluded in these circumstances. Where the DPC identified the possibility of a swift resolution to a complaint, it proceeds down a “fast-track” basis. In 2021, 463 of the 3,564 complaints concluded by the DPC were concluded by fast-track amicable means.
Data breach notifications
The introduction of GDPR brought about mandatory data breach notification obligations for all data controllers. 2021 saw a total of 6,549 valid data breaches reported to the DPC, representing a 2% decrease on the numbers reported in 2020. The DPC advised that, when assessing the necessity of notifying a breach, a data controller should particularly focus on the impact of a data breach on the rights and freedoms on an affected individual.
In line with previous years, the highest category of data breaches notified was in relation to unauthorised disclosures, accounting for 71% of the total notifications.
The Report notes that a disproportionately large chunk of breach notifications (2,707) originate in public sector organisations in Ireland. Other organisations with high levels of breach notifications include banks, insurance companies and telecoms companies.
The DPC noted that the cause of most unauthorised disclosures was poor operational practices and human error. An increase in the number of breaches caused by the issue of email correspondence to the incorrect recipient was recorded. In terms of breaches caused in relation to hard copy correspondence, a number of breaches occurred due to a failure of the data controller to update data, e.g. the data subject’s address, in a timely manner.
The DPC notes that it is taking a new strategic approach with regards to the handling of breach notifications. To date, the DPC would conduct its own risk and impact assessment and engage with the controller on mitigation actions and notification to data subjects, if required. This practice has ceased since January 2022. In most cases, the DPC will now only provide acknowledgement of receipt of breach notifications and will not issue recommendations or seek further information. However, the Report notes that the absence of further immediate engagement by the DPC will not indicate satisfaction with the notification itself, nor the assessment contained therein. The DPC will continue to assess all notifications individually and, in cases where the DPC deems the issues to warrant further information or a formal statutory inquiry, it will proceed in that way.
Statutory inquiries
The DPC may conduct two types of statutory inquiries: a complaint-based inquiry or an inquiry of the DPC’s own volition. The purpose of either inquiry is to make a formal decision as to whether there was an infringement under GDPR, and, where there is an infringement, to determine whether corrective measures such as fines should be applied. As of the year-end, the DPC were conducting 81 statutory inquiries, including 30 cross-border inquiries.
In 2021, the DPC imposed the below sanctions of fines and corrective measures.
