Three out of four Irish organisations (76%) have seen an increased number of reported data breaches since 2018, according to our latest survey. We polled 200 in-house lawyers from both the public and private sector at our recent Data Privacy In-House Counsel Masterclass at The Marker Hotel, Dublin.
Brian Johnston, Privacy & Data Security Partner, said: “The results show that organisations are very conscious of their breach notification obligations and take them seriously. The volume of notifications does not necessarily mean organisations are not complying with their obligations to have good security in place.
While the recent Data Protection Commission (DPC) annual report showed a 12% decrease in notifications from 2021 to 2022, on the whole, organisations are reporting far more than they were in 2018, when the General Data Protection Regulation (GDPR) came into force.
Our advice to clients is that you can’t prepare for every security incident, but you can take steps now to ensure you are compliant with your security obligations if an incident does occur.”
Commenting on the event overall, Philip Nolan, Partner and Head of Privacy & Data Security, said: “In the five years since GDPR came into force, we have seen consistent regulatory activity, as well as continued innovation around the use of personal data. New EU rules further tightening the use of data and technology are also on the horizon.
This event is intended to bring in-house lawyers together to discuss the evolving data privacy landscape, and to arm them with the necessary knowledge to navigate this complex terrain.”
Oisín Tobin, Privacy & Data Security Partner, said: “This is significant because in September 2021 there was a major Irish Data Protection Commissioner decision finding that privacy policies should be much more prescriptive in terms of the level of detail they should contain. Most privacy policies adopted before this date are unlikely to align with regulatory expectations.”
Philip Nolan commented: “There is quite a lot of non-compliance across privacy policies in the market and it is quite likely that if you have not revamped your policy in the last two years, it is not compliant.
This is a real and significant risk area and we are working with many of our clients to update their privacy policies in the light of the DPC’s consistent focus on transparency when it comes to enforcement.”
The survey also revealed that 28% of respondents do not have policies or procedures in place to deal with subject access requests from employees.
Melanie Crowley, Partner and Head of Employment Law, said: “It is really important that employers know and are transparent about what employee data they collect and retain, why they collect and retain it, where they keep it and for how long data will be retained.
On a practical level, employers should (1) review their employee privacy notices to make sure they are up to date, relevant and comprehensive, (2) be careful what is written down about employees and (3) have internal processes and guidance – not generic guidance, but meaningful, practical guidance – on dealing with subject access requests from employees.
This will enable efficient and consistent responses to subject access requests from employees. Good housekeeping makes for smoother responses to subject access requests from employees and mitigates the risk of complaints by employees to the DPC.”
Robert McDonagh, Privacy & Data Security Partner, added: “It is prudent for employers to operate on a working assumption that subject access requests will be escalated to the Data Protection Commission – 42% of complaints to the DPC last year related solely to access requests.”