Irish eyes are sighing: Data protection office notes olagoanin'* up 79%
Annual report reveals boost in complaints, breach notifications
The Irish Data Protection Commissioner received 79 per cent more complaints last year than in 2016, while data breach notifications rose 26 per cent.
The figures, released in the commissioner's annual report for 2017 (PDF), show that the DPC's office received a record 2,642 complaints in 2017.
That's a 79 per cent increase on the 1,479 received the previous year, and much greater than in 2013, 2014 or 2015, when there were on average 930 complaints each year.
Some 52 per cent (1,372) of the complaints in 2017 were about access rights, while 312 were about unfair processing of data, 77 about the use of CCTV footage, and 21 were related to the right to be forgotten.
The office received 215 complaints about electronic direct marketing, and 146 were investigated – of these 80 were related to email marketing, 58 to SMS and just eight to phone.
Overall, the office concluded some 2,594 complaints, meaning there were 556 outstanding at the end of the year. At the moment, the office has 40 days to resolve a complaint; this drops to one month under the European Union's General Data Protection Regulation, which comes into effect in May.
Meanwhile, some 2,973 data security breaches were reported in 2017, of which 178 were classified as non-breaches. The 2,795 valid breach reports represented a 26 per cent increase on 2016's figure.
Most breaches – about 59 per cent – were related to unauthorised disclosures, and the majority of them were in the financial sector, the commissioner said.
Some 6 per cent of all reported cases were in the telecommunications sector, which was 25 per cent more than in 2016; there was also an increase in the number of network security compromises – these rose from 23 to 49, and usually included ransomware and malware attacks.
The report said that the commissioner's multinationals team had investigated 19 data breaches in 2017, noting that its investigation into the Yahoo! data breach was "largely concluded" in 2017 and would be finalised in the first half of this year.
A central part of that work will assess the extent to which the EMEA controller – Yahoo! EMEA in Dublin – had complied with its obligations to ensure that the processing of EU users' personal data by its processor, Yahoo! Inc., was sufficiently secure in terms of technical and organisational measures to safeguard the data.
Elsewhere, the report set out the main issues it had faced in 2017 and plans for 2018.
Among these, it noted the ongoing litigation between Facebook and Max Schrems, which the Irish High Court agreed to refer up to the Court of Justice of the EU but has yet to finalise the specific questions.
The report also noted the extra cash the government has promised the body, which rose to €7.5m in 2017 and will increase again to €11.7m this year, allowing it to recruit an extra 55 staff on top of the existing 85.
However, it was – rather unsurprisingly – GDPR that topped commissioner Helen Dixon's agenda.
"The phrase 'game-changer' is so frequently used that it has to some extent lost its potency," she wrote in the foreword.
"I truly believe that May 2018 will be a seminal milestone in ensuring that the rapid technological change and importance of data in our daily lives is now backed by a transparent and flexible but robust regime for the protection of individuals." ®
* Grumbling and complaining – from the Gaelic olagón (lament).