The first post-GDPR report from the Data Protection Commission makes for interesting reading. The data breach statistics understandably got plenty of coverage, but there were also many pointers for good data protection practice. I’ve identified five of them which I’ll outline in this blog.
Between 25 May and 31 December 2018, the DPC recorded 3,542 valid data security breaches. (For the record, the total number of breaches for the calendar year was 4,740.) This was a 70 per cent increase in reported valid data security breaches compared to 2017 (2,795), and a 56 per cent increase in public complaints compared to 2017.
By far the largest single category was “unauthorised disclosures”, which was 3,134 out of the total. Delving further, we find that many of the complaints to the DPC relate to unauthorised disclosure of personal data in an electronic context. In other words, an employee at a company or public sector agency sent email containing personal data to the wrong recipient.
A case study on page 21 of the report illustrates this point: a data subject complained to the DPC after their web-chat with a Ryanair employee “was accidentally disclosed by Ryanair in an email to another individual who had also used the Ryanair web-chat service. The transcript of the webchat contained details of the complainant’s name and that of his partner, his email address, phone number and flight plans”.
It’s a common misconception that human error doesn’t count as a data breach, but in the eyes of GDPR, this isn’t the case. The most common reason for breaches like this comes from the auto-fill function in some software applications like email clients.
Where an organisation deals with high-risk data like healthcare information (because of the sensitivity involved), best practice is to disable auto-fill. I recommend this step to many of my clients. Many organisations don’t like doing this because it disrupts staff and makes their jobs a little bit harder. In my experience, employees soon get used to the inconvenience, while organisations greatly reduce their chances of a breach.
Another misconception I hear a lot is that it’s OK to use WhatsApp as a messaging tool because it’s encrypted. The case study on page 19 of the DPC report clarifies this position. A complainant claimed the Department of Foreign Affairs and Trade’s Egypt mission had shared his personal data with a third party (his employer) without his knowledge. A staff member at the mission was checking the validity of a document and the employer had no email address, so they sent a supporting document via WhatsApp.
In this case, the DPC “was satisfied that given the lack of any other secure means to contact the official in question, the transmission via WhatsApp was necessary to process the personal data for the purpose provided (visa eligibility)”.
My reading of this is that although the DPC ruled that WhatsApp was sufficient in this case, this was only because no other secure means of communication was available.
The report tells us that there were 900 Data Protection Officers appointed between 25 May and 31 December 2018. My eyes were immediately drawn to some text accompanying that graph (below). “During 2019, the DPC plans to undertake a programme of work communicating with relevant organisations regarding their obligations under the GDPR to designate a DPO.” This suggests to me that the DPC doesn’t believe there are enough DPOs, hence the outreach and awareness-raising efforts.
Private and public organisations will need to decide whether they should appoint a full-time DPO or avail of a service-model from a third-party data protection specialist.
Case study 9 from the report concerns an employee of a public-sector body who lost an unencrypted USB device. The device contained personal information belonging to a number of colleagues and service users. The data controller had policies and procedures in place that prohibited the removal and storage of personal data on unencrypted devices. But the DPC found that it “lacked the appropriate oversight and supervision necessary to ensure that its rules were complied with”.
The lesson I take from this is, “user error” is not a convenient shield for all data protection shortcomings. Many organisations expended effort last year in writing policies, and some think they’re covered from sanction because they did so. But unless they implement and enforce the policy – and provide training to staff about it – then it’s not enough.
My final point is more of an observation than advice. Between 25 May and 31 December, the DPC prosecuted five entities for 30 offences involving email marketing. The reports detail those cases. A recurring theme is that the fines were mostly in the region of a couple of thousand euro. However, all of these cases began before GDPR was in force; since then, the DPC has the power to levy fines directly rather than going through the courts. This is an area I expect the DPC to address. Any organisation that took a calculated risk in the past because the fines were low should not expect this situation will continue.
There are plenty of other interesting points in the 104-page report, which is free to download here.