In 2023, the DPC was responsible for handling 87 per cent of all GDPR-related fines in Europe, totalling €1.55 billion. But with many of the largest cases undergoing appeals, the actual amount of fines paid was a fraction of that. In reality, the report shows that the amount paid to the Irish regulator was just €1.375 million.

That’s just one of the many findings that caught my eye from the Data Protection Commission’s annual report for 2023. The report weighs in at 148 pages. It’s free to download and there’s plenty for privacy professionals to digest. In this blog, I’ll pick out some of the numbers and trends that caught my eye.

For the sixth year in a row, the number of GDPR data breaches rose. In 2023, there were 6,991 valid notifications which is up 20 per cent on the previous year. Of the total, 3,766 breaches were from the private sector, 2,968 came from the public sector, and 257 were from voluntary and charity groups.

To me, such an even split between the public sector and private sector seems strange, because public sector workers make up just 14.4 per cent of the labour force. My interpretation is that the public sector has its data protection house in order and has good breach reporting. Another explanation could be because public authorities by definition have to appoint a data protection officer (DPO) and private companies don’t.

Takeaway 1: tackle potential underreporting of data breaches

In my experience, the number one reason why breaches are underreported is because employees don’t tell their manager and fill in the breach reporting form. So if a data protection professional is working in an organisation, one place to tighten up on this is to check and, if necessary, update their breach incident management plan.

If organisations are worried about the consequences of reporting to the regulator, I would always reassure them and say: when you report to the DPC, it’s not their intention to open an enquiry and levy a fine. If you answer their questions correctly and show you have the correct measures in place, they will close your case quickly. If you work with DPC, they will work with you, and I’ve found they’re very good at problem resolution. So don’t let fear stop anyone from doing the right thing.

A related observation to this topic: 8.53 per cent of disclosures were classified in the ‘other’ category and 6.2 per cent were considered as unauthorised access. To me, this suggests there’s been an increase in hacking organisations with the aim of getting their data. I’m inferring this from the fact that human error accounted for just over 51 per cent of breaches. We know from observation that security incidents like ransomware are rising. In previous years, the DPC included hacking, malware, phishing and ransomware in their own categories but this year’s report doesn’t rank these categories the same way, which makes comparisons difficult.

Takeaway 2: easy-to-address process fixes

Some more observations on the unauthorised disclosure figures in the report: the number one cause is still human error. In plain English, this often means employees at public sector agencies, banks, insurance providers, or telecoms companies putting documents into the wrong envelopes (33.69% of all breaches reported to DPC last year). In 17.97 per cent of cases, the cause of the breach was emails being sent to the wrong person.

We often think about data breaches as complex issues but in reality, if you fix both of those procedural shortfalls I’ve mentioned above, that would reduce over half of the breaches reported to DPC. They’re easy problems to fix: better training will tighten up the procedures. Another solution to consider is the ‘four eyes’ principle where two different people check the letter  twice and for emails just check the to line again as you are hitting send .

Data subject access rights requests continue to rise. These tend to involve an individual who wants a copy of their data but the organisation holding it doesn’t respond in a timely fashion. The report includes a slew of case studies which I recommend reading as they explain certain decisions the DPC made all about access requests and deletion.

Takeaway 3: be ready for access requests

The takeaway for privacy professionals is to be prepared for these requests and be able to respond to them in a timely manner. In other cases, the person might ask for their data to be deleted. In one case study (page 115), a person wanted the diagnosis in their medical record changed, but the DPC ruled that the record should stay because it reflected the original diagnosis at the time.

The report also refers to the Circular Economy and Miscellaneous Provisions Act 2022, which will provide a clear legal basis for Local Authorities to use recording devices such as CCTV and Body-worn Cameras for the prevention, investigation, detection, and prosecution of litter and waste management offences.

Takeaway 4: actions needed if your organisation uses CCTV

The DPC issued updated guidance on this during 2023, partly because concerns about monitoring wasn’t limited to CCTV but also about smart doorbells. For organisations that have CCTV systems in their offices, the three actions to take are to:

• Carry out a data protection impact assessment
• Create a policy for CCTV for the organisation
• Deploy signage to tell people that their images are captured on CCTV

In reality, there’s so much in this report that I plan to return to some of the specific areas in future blogs later this year, as they deserve treatment of their own. In the meantime, the report gives us plenty to work on.

Tracy Elliott is a Senior Data Protection Consultant with BH Consulting