By Pádraig Hoare
More than 1,300 “concerns or complaints” have been made to the Data Protection Commission since the General Data Protection (GDPR) became law last month, while firms have logged 60 breaches of people’s personal data with the watchdog.
The watchdog said it began receiving the first complaints from individuals since the law was implemented on May 25, and also its first notifications from organisations relating to personal data breaches, which are being dealt with under the GDPR.
It said: “In addition, the DPC team has been addressing a substantially increased number of telephone and email queries received both from members of the public and from organisations.
“Between May 25 and May 31, the DPC received around 700 telephone calls and over 650 emails to its information service. These include contacts from both individuals raising concerns or making complaints to the DPC and queries from organisations.”
The DPC said there are 10 cases so far in its assessment stage, which fall under GDPR. The rest of the complaints, which deal with cases before May 25, fall under previous Irish data protection laws.
“These [10 cases] relate to both national and multinational organisations. In addition, since May 25, the DPC has been notified of three cases by other EU data protection authorities under the new EU “one stop shop” cooperation mechanism.”
Since May 25, the DPC said it has seen an increase in the number of personal data breach notifications received. The GDPR compels organisations to report personal data breaches where the breach presents a risk to the affected individuals within 72 hours of becoming aware of it.
“To date the DPC has logged around 60 notifications. Of these, just over half relate to data breaches which occurred post-25 May and these are being dealt with under the GDPR framework.
“The remainder relate to data breaches which occurred prior to 25 May and are consequently being progressed under the Data Protection Acts 1988 and 2003.”
The GDPR was ratified in 2016 following four years of negotiation, replacing the existing directive on data protection.
Unlike an EU directive, which can be implemented over a certain time, the regulation was made law once it began on May 25, meaning penalties can be imposed from the beginning.
The regulation is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy. It not only applies to organisations within the EU but also to firms that do business inside member states.
If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
Chief executive of cybersecurity firm Ward Solutions, Pat Larkin said the figures were evidence that people had become more aware of their rights since May 25, as well as firms taking data breaches more seriously.
“Historically, there has been an under-reporting of data breaches. That under-reporting has now disappeared because of the GDPR. Even relatively insignificant breaches are now being taken more seriously,” said Mr Larkin.
“It has led to better practice to be put in place, and consumers now have more rights, which they are asserting. It is in effect the rebalancing of excessive power, which can only be a good thing for citizens.”