Data Protection Commission’s Annual Report 2021

The Data Protection Commission (“DPC”) recently published its Annual Report for 2021. The report provides an overview of the large-scale inquiries, investigations and regulatory activities the DPC carried out during 2021. In this article, we identify highlights in the report that we believe organisations should keep in mind for 2022.

Key Highlights

• The DPC received a total of 6,549 valid breach notifications in 2021, with unauthorised disclosures accounting for 71% of the total breach notifications.

• In 2021, the DPC concluded 5 large-scale inquiries; sent forward 4 draft decisions to the EU co-decision making process; referred 1 case to the EU dispute resolution mechanism on foot of which the DPC issued a finalised decision; issued a further 9 preliminary drafts of decisions for submissions to regulated entities and complainants in advance of finalisation, and sought submissions on statements of issues or inquiry reports from relevant parties in a further 17 inquiries.

• In December 2021, the DPC published its Five-Year Regulatory Strategy for 2022-2027, providing clarity to stakeholders as to the direction of travel for the regulatory priorities of the DPC going forward.
  

New Strategic Approach to Data Breach Notifications

The DPC outlined its plans to prioritise and focus its resources on enforcement activities related to data breaches.

From January 2022, the DPC will no longer offer guidance to a controller when a breach takes place. Instead, controllers are expected to rely on the DPC’s published guidance on data breaches. 

Previously, the DPC took a hands on approach, completing its own risk and impact assessments for each notified data breach and engaging with controllers on mitigation actions and notifications to data subjects in high risk cases. In doing this, the DPC sought to assist controllers in acclimatising to their data breach notification responsibilities.

While the DPC will continue to assess all data breach notifications, it will only engage with controllers beyond an acknowledgment where the DPC receives complaints or determines that it requires further information on the data breach or a formal statutory inquiry is warranted. 

In light of this change of approach, controllers should not interpret an absence of immediate engagement from the DPC after its breach notification as an indication of satisfaction with the report or that the matter is concluded.

Large-scale Inquiries

The DPC’s annual report provided an overview of its large-scale inquires completed and ongoing during 2021. The WhatsApp case which resulted in an historic fine of €225 million was the largest fine issued by the DPC to-date and received considerable attention and commentary. Outside of Ireland, among all GDPR fines, this fine is the second highest fine that has ever been issued by a supervisory authority. 

The DPC noted the Limerick City and County Council case as a significant decision domestically. The DPC imposed an administrative fine of €110,000 and a temporary ban on the Council’s processing of personal data in respect of certain CCTV cameras for failures in compliance with the GDPR and the law Enforcement Directive in respect of the Council’s use of CCTV and surveillance. 

Failings related to the lack of appropriate technical and organisational measures were identified as the causes of some of the other higher fines issued in decisions against the Irish Credit Bureau, MOVE Ireland and Teaching Council. 

New Guidance Documents and Resources

The DPC published the final version of its guidelines ‘Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing’ in December 2021. The guidance had immediate application and operational effect. The DPC’s Annual Report highlighted the protection of children as a priority area where it will concentrate supervision, regulation and enforcement efforts and all organisations involved in the processing of children’s data should take note of the DPC guidance.

In December 2021 the DPC published its Regulatory Strategy 2022-2027, setting out its strategy for the next 5 years. The DPC will focus on regulating consistently and effectively; safeguarding individuals and promoting data protection awareness; prioritising the protection of children and other vulnerable groups; bringing clarity to stakeholders; and supporting organisations and driving compliance. In its strategy, the DPC commits to supporting Data Protection Officers in their role within organisations. 

In the coming months, the DPC intends to publish more guidance including case studies and material for supporting Data Protection Officers in their day to day work. 

For further information, please contact Seán O’Donnell, Zelda Deasy or any member of the ByrneWallace LLP Data Protection/GDPR Team.