Mazars data protection newsletter - Issue 1

To date, the Irish DPC has not made public any cases it has concluded under the 2018 Data Protection Act and no civil actions have made it to the courts. As such the interpretations and decisions made during GDPR projects remain unvalidated.

Reports to the Data Protection Commission

Since the GDPR took effect, the number of data breaches reported each month to the DPC has increased by almost a factor of 3, from an average of 230 reports per month in 2017 to an average of 595 per month since the GDPR became enforceable in May 2018. The type of data breaches reported relate to human error such as individuals sending personal data via email to an incorrect recipient. Complaints received by the DPC have also risen significantly since May 2018 with the average number of complaints received per month almost doubling in comparison to that received in 2017. Most frequent complaint issues: disclosure of personal data without a legal basis, access requests, and unfair processing.

Developments in Irish legislation

Minister for Health, Simon Harris, has introduced the Health Research Regulations. The Data Sharing and Governance Bill 2018, sponsored by Paschal Donohoe is currently before the Seanad.

Lawful processing of special category data

We understand that a number of organisations are seeking to use public interest as a lawful basis of processing special category data. This requires a separate regulation for each instance and these regulations will need to pass through the Dáil and Seanad. We expect this process may suffer delays and result in some organisations accepting the risk that they do not have a lawful basis for processing in the short term.

Breach reporting

The change in reporting thresholds has caused confusion and uncertainty for some data controllers. Pre-GDPR guidance encouraged ‘high-risk’ types of breaches to be reported to the DPC. In the new legislation, we are simply told that breach reporting is not required where the breach is ‘unlikely’ to result in a risk to the rights and freedoms of the data subjects involved.

It’s not an easy decision as to where an organisation sets the bar for data breach reporting. If too many low-risk data breaches are reported, there is the chance of over-reporting and attracting unwarranted focus from the DPC. The flip side is that if you don’t report an event the DPC could deem you have not met your reporting obligations Hopefully this will become clearer over the next few months.

Brexit and GDPR

On August 29th, the EU released the study; The future EU-UK relationship. It analysed how data flows between the UK and EU will be impacted by Brexit. It concludes:
The current legislation will not allow data flows between the UK and EU as:

• An adequacy decision would largely meet the requirements of the private sector. However, the process to grant an adequacy decision can only start post-Brexit and will take time.
• An adequacy decision will not suffice for public sector data sharing which is underpinned by a myriad of EU legislation which will no longer apply in the UK.
• The report recommends that an initial standstill period is agreed to allow time for a bespoke data sharing arrangement to be defined, drafted and passed into law in the UK and EU.

Technology investments to support compliance

Larger organisations generally updated their high-risk core platforms to account for GDPR in advance of May 25th. We see that many organisations are now assigning a budget for 2019 to GDPR related technology. Based on a straw poll of our clients, the most common problems that organisations are seeking to use the tchnology to address are:

• Searching and controlling data in unstructured systems such as email and file shares
• Reduction/ Removal of the manual effort associated with processing SAR, including redaction
• Implementation of retention policies
• Governance tools to support the GDPR accountability principles.

It is not yet clear whether effective solutions are available for individual organisations. In addition, the business requirements for these solutions are not yet fully understood, in some instances, it is too early to define a business case. It seems many vendors are selling solutions that have been developed or significantly updated recently. Some of these solutions are not yet mature and there appear to be many version updates coming in Q4 2018. At this point putting an envelope for spend in the 2019 budget may be sensible. How it will be used may be less clear.

Project tail - 5 most common areas where GDPR project activities remain outstanding:

1. Establishing and implementing retention policies and schedules
2. Obtaining agreement on Data Processing Agreements / Data Sharing Agreements
3. Management of unstructured data in email and file shares
4. Publishing and enforcing policies and processes in front line departments and teams
5. Completing legitimate interest assessments and DPIAs