We use cookies to improve your experience on this website. Read More Allow Cookies

Important Notes for Tech Companies in Data Protection Commissioner Annual Report for 2016

By Seán O' Reilly and Laura Prendiville

The Data Protection Commissioner (“DPC”) has recently published her annual report for 2016. With the appointment of three deputy commissioners in the past year, the DPC has enhanced its resourcing in preparation for the GDPR. The DPC is also set to extend its recruitment drive into 2017, with a view increasing its staff to 100 people from varying backgrounds such as legal, data analytics and technical policies.

Important Notes for Tech Companies in Data Protection Commissioner Annual Report for 2016

Goals for 2017

The DPC’s main objectives for 2017 include GDPR and ePrivacy Readiness. This will involve active engagement with the Article 29 Working Party towards the preparation of guidance, implementation of a new website and upskilling staff to meet new regulatory demands. 

The Commission will also be managing the standard contractual clause proceedings it initiated in May 2016. This may involve a reference to the CJEU to examine the validity of standard contractual clauses as a means of transferring EU personal data to the US following the ‘Schrems 1’ ruling in October 2015.

Review of 2016

Multinationals and Technology

The GDPR will come into force in May 2018 and with that the DPC reports that “it will be the lead data-protection authority for multinational companies which have their ‘main establishment’ in Ireland under the one-stop-shop model”. The DPC has set up a Multinationals and Technology team to ensure co-operation between the various data protection authorities and will also carry out the various consultations, investigations and audits regarding data-processing issues. 

Following Facebooks acquisition of WhatsApp in 2014, the team examined WhatsApp’s update to its terms of service and privacy policy by engaging with both parties in relation to data sharing and processing issues. The team also examined the significant Yahoo! data breach in 2014 which was reported to the DPC in September 2016. The DPC expects to have these matters concluded in 2017.

Common Technology Issues

The DPC has identified what she considers to be the three most common data protection issues when it comes to tecnhology. First, many data controllers are not aware of their statutory obligations. This inevitably leads to a vulnerability of personal data. The second issue identified was in relation to the security measures that organisations have in place to cover any technical risks. The DPC recommends that in order to improve on this issue, organisations need to implement “rigorous policies/procedures and inventories” together with training to reduce the instances of human error. The final issue identified by the DPC was that most of the ransomware attacks rely on human error or misjudgement to succeed and on that basis, organisations should be stressing the importance of a ‘think before you click’ policy.

The DPC also noted the importance of organisations having sufficient password policies and user authentication requirements in place. An example of what was described as a “brute force attack” on an online retail organisation was given in the report. In this case, the attackers tried various combinations of passwords and usernames to gain access to user accounts over a two week period in 2016.The attackers eventually gained access to personal data and could also withdraw user balances from the access gained. In order to mitigate the risk of this type of attack, the DPC recommends the use of “multifactor authentication, network rate limiting and logon alerts”.

Complaints and Investigations

The DPC reports that 1,479 complaints were investigated in 2016, with the largest number of those complaints relating to access requests. It was reported that the high level of complaints in the area of data access is attributable to data controller’s lack of awareness of their statutory obligations on the topic.

A number of ‘Right to be Forgotten’ claims were also received by the DPC, with a total of 15 being rejected and 6 being upheld last year. 

Special Investigations

Following the Special Investigation Unit’s (“SIU”) first full year in operation, the DPC reports on a number of investigations which were carried out. The SIU has an ongoing investigation into the private invesigator sector, which last year resulted in two successful prosecutions for significant breaches of personal data. One of the issues which was reported by the DPC concerned the use of vehicle-tracking devices. In light of this investigtion, guidelines have been issued to a number of companies who engage with private investigators regarding their compliance with the Data Protection Acts.

The SIU also carried out an investigation into the Surgical Symphysiotomy Payment Scheme. A complaint was received regarding its plans to shred certain documents which were submitted to it by applicants as part of their claims for redress. In this case, the DPC reported no breach of data protection legislation on the basis that the appropriate consents had been obtained from the data subjects.

The hospital sector is set to be the subject of a new investigation in 2017. This will examine how patient data is processed in hospitals across Ireland. The SIU’s findings will form the basis for recommendations for improvements within the sector.

Data Breach Notifications

The DPC recorded a total of 2,224 valid data security breaches in 2016, which was a decrease from the 2,317 reported in 2015. The DPC found that the highest number of these data breaches were unauthorised disclosures either electronically or by post. The majority of these breaches were in the financial sector. For the most part, the data breaches were due to human error by way of inappropriate handling, improper disposal of data or loss of personal data held on smart phones, paper files or laptops. There was also a reported increase in the number of network-security breaches in 2016 involving ransomware and malware attacks.


For more on the 2016 annual report see here.

The RDJ Startups Guide

Startups GuideGetting Started

A thoughtful and thorough business plan is essential for presenting your ideas to potential business partners and finance providers.

Read More
Startups GuideChoosing the right business Vehicle

What kind of company should you form? As a new venture, it's vitally important that you choose the right business structure.

Read More
Startups GuideFinancing your startup

Funding is a critically important topic for all new startups. Learn about the options available for financing your business idea.

Read More
Startups GuideTAX

Just like any business, a startup needs to pay its taxes. Getting tax advice as early as possible can avoid problems down the road.

Read More
Startups GuideIntellectual Property

For the vast majority of knowledge-based startups, intellectual property (“IP”) is the business’s most important asset.

Read More
Startups GuideKey Contracts

Once a new company has been formed, a number of key legal agreements and documents must be put in place.

Read More

We produce solutions for our clients based on our experience and knowledge...

Ronan Daly Jermyn regularly hosts events and workshops with a focus on education, mentorship and networking. Topics of discussion include early stage financing, licensing, contracts, employment and tax issues.

Learn more