The volume of complaints made to the regulator also jumped by over 50% last year to 4,113 with 2,684 of those coming after the GDPR’s commencement on May 25th. The largest number of these complaints were related to the right of access to personal data held by others, with unfair processing of data and disclosure among the biggest categories.
“The rise in the number of complaints and queries demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data,” said Data Protection Commissioner Helen Dixon.
The figures are contained in the first annual report of the organisation since it became the DPC in the middle of 2018. The body also opened 15 statutory investigations between May and December last year into issues around whether large multinational technology companies were GDPR compliant.
Under GDPR it is mandatory for organisations to report data breaches to the DPC and this change is reflected in the surge of cases notified to the authority in the second half of the year.
“While it would be an ideal world if there were fewer, the DPC’s experience generally is that most organisations engage with the DPC and accept our guidance around mitigating losses for affected individuals, communicating any high risks to them and learning lessons from the breach to avoid a repeat,” Ms Dixon wrote in the report.
31 inquiries were initiated by the DPC under the Data Protection Act 2018 into the surveillance of citizens by the State sector for law enforcement purposes in public spaces. These probes will examine a range of technologies, including body cameras, drones, CCTV and systems that use automatic number plate recognition (ANPR).
The first module is focusing on the 31 local authorities and the second will look at An Garda Síochána, with more to come.
The number of cybersecurity compromises notified also rose again last year, with the number of notifications increasing sharply from 49 cases in 2017 to 225 in 2018. Cases including phishing, malware and ransomware attacks to gain access to the ICT systems of controllers and processors were also recorded.
“It is notable that many of the data breaches notified to the DPC involving a risk to financial data resulted from compromised or stolen credentials,” the report said.
“In relation to the public-sector breaches notified to the DPC, it is of particular concern that a large number involved special categories of personal data or data relating to criminal convictions or offences.”
The report outlined a project examining the processing of children’s personal data and their rights as data subjects under GDPR.
To ensure your company is GDPR compliant, be sure to provide your team with the training they need! Our GDPR Compliance Training can help!