Covid-19 – GDPR Series – Part 4 – The GDPR at Two

Covid-19 – GDPR Series – Part 4 – The GDPR at Two

This article is the final part of a four-part series of articles that the lawyers of Reddy Charlton have issued during May to mark the two year anniversary of the introduction of the GDPR. Our intent is to refresh some of the measures introduced and also to consider them in the current Covid-19 related business environment.

In this article we review the GDPR, examining its impact on business, the role of the Data Protection Commission (the “DPC”) and we look ahead to what is occurring with regards to GDPR.

Is the GDPR resonating with the public?

Yes, since its launch some two years ago, various studies and surveys have shown that the general public have become more conversant with regards to their data protection rights and the GDPR generally. Awareness of their rights is demonstrated by a review of the recently published 2019 DPC report. In that report, the DPC indicated that the number of complaints they received in 2019 in relation to data protection issues has increased by a margin of 75% over the number received in 2018. Drilling into those figures, over 2,000 of the complaints related to data subject access requests and the right to access, particularly in relation to the failure of companies and organisations to respond adequately to data requests.

What is the impact of the GDPR in Ireland?

Of the 7,215 complaints made in 2019, some 6,904 were made under GDPR, while the remainder of the complaints came under its pre-existing legislation, namely the Data Protection Acts 1998 and 2003. In terms of the complaints made under GDPR, the DPC’s 2019 report details that 1,252 of these were being actively assessed at the year-end, 1,098 were proceeding to complaint-handling, and 4,554 complaints (66%) had been concluded within the year. The main areas of complaint include Access Requests (29%); Disclosure (19%); Unfair processing (16%); e- marketing complaints (8%) and Right to erasure of data (5%).

What powers does the DPC have?

The DPC has the power to conduct two types of statutory inquiries: a complaint-based inquiry and an inquiry of the DPC’s own volition. At the end of 2019, the DPC were conducting 70 statutory inquiries. 21 of the 70 statutory inquiries involve multinational technology companies, many of which have their European headquarters in Dublin, and as a result they have the DPC as their lead supervisory authority under the GDPR’s “one stop shop” mechanism. Other ongoing inquiries of note include an inquiry into a significant number of local authorities and An Garda Síochána regarding the use of CCTV, body cameras and other recording technology, and an almost concluded investigation into Independent News and Media concerning potentially unlawful disclosure of data to third parties.

Data breaches

As part of the GDPR, mandatory data breach notification obligations for all data controllers were introduced and 2019 saw 6,069 valid data breaches reported to the DPC, representing an increase in 71% on the number of notifications in 2018. The main offending sector is the area of Finance Services where the report states that the “DPC has observed an increase in the number of repeat breaches of a similar nature by a large number of companies. This is most apparent in the financial sector, where the majority of breaches appear to be related to unauthorised disclosures.” Unauthorised disclosures are by far the greatest contributor of notified breaches with some, accounting for 83% of all reported breaches.

The DPC has just last week (22 May) completed its inquiry into Twitter and this may pave the way for the first fines levied against ‘big tech’ firms by the Irish watchdog. The draft decision will remain confidential until other data watchdogs have reviewed it. The investigation into Twitter relates to the company’s handling of a data breach in November 2018 which it reported to the DPC. Specifically, the DPC examined Twitter’s compliance with two particular aspects of the GDPR – their promptness of the disclosure of the breach and how they handed aspects of the breach, including record keeping and documentation.

Ireland’s First GDPR Fines

In late May, Tusla (the child and family agency) became the first organisation in the State to be fined for a breach of the GDPR. The agency was fined €75,000 arising out of an investigation into three cases where information about children was wrongly disclosed to unauthorised parties. The lodgement of a case in the Circuit Court by the DPC last week confirmed the fine. This confirmation is required by the Data Protection Act 2018 to ensure that the DPC’s decision to impose a fine has due regard to fair procedures and constitutional justice. A spokeswoman for Tusla confirmed that it did not intend to contest the matters and will accept and respect the final order of the court.

The Data Protection Act 2018 enables the DPC to impose administrative fines of up to €1m on Irish State/public bodies, that do not act as undertakings within the meaning of the Competition Act 2002 (i.e. that are not in competition with private sector bodies). Public sector bodies that act as undertakings, and private sector bodies may be fined up to €20m or 4% of annual worldwide group turnover. In addition, the 2018 Act requires the DPC to publish particulars of any administrative fine which it imposes, and we await publication of the fine in due course.

2020 and beyond

Whilst 2019 can be seen to demonstrate the application of GDPR across all sectors and an increasing level of awareness of the regulations by the public, there still remains a significant body of work to be done. Looking ahead, the Commissioner, Helen Dixon wrote in her 2019 report that with regard to 2020 that “more remains to be done in terms of both guiding on proportionate and correct application of this principle-based law and enforcing the law as appropriate.”

2020 promises to be a very significant year for GDPR and the DPC in particular. The watchdog said on 22 May that it had passed other milestones in relation to a number of inquiries into Facebook and other platforms owned by it (Whatsapp Ireland and Instagram). Additionally, and of international significance is the fact that the DPC also said it has completed the investigation phase of an inquiry into Facebook Ireland’s obligations to establish a lawful basis for personal data processing. This inquiry is based on a complaint made by the Austrian privacy campaigner Max Schrems.

Given that the DPC has now issued its first fines and the high profile investigations against social media giants ongoing, it will be very interesting to see what the remainder of 2020 brings for the DPC and GDPR. What is clear, is that the DPC is now into it’s stride in terms of investigations into organisations that fall foul of the standards required by the GDPR. Organisations (no matter what their size) need to be conversant in and compliant with all aspects of GDPR, especially in the challenging situation we find ourselves in now with Covid-19, because the GDPR is here to stay.

What key steps should a business to ensure GDPR compliance?

• Ensure your Data Protection policies and procedures are robust and best practice.
• Maintain up to date records of processing and compliance with GDPR.
• Continuously provide updates and training to staff, with a particular focus on new entrants or recently promoted personnel whose data processing responsibilities may have changed.
• Regularly review and as appropriate update existing data processing contracts, notices and privacy statements and where applicable Data Protection Impact Assessments and Privacy by Design controls.
• Have workable plans for data breaches or statutory inquiries in place.
• Ensure that policies and procedures are being implemented and consider stress testing your data protection policies, procedures and training with realistic exercises and scenarios.

How can Reddy Charlton help?

During this Covid 19 crisis, Reddy Charlton Solicitors are eager to support, encourage and guide your business. If you have any queries or seek further information on Data Protection or any other area of commercial law, please contact Elaine McGrath at emcgrath@reddycharlton.ie or Jonathan Mills at jmills@reddycharlton.ie.



Jonathan Mills
Author: Jonathan Mills