Five takeaways for small businesses in Ireland’s GDPR report

Ireland is investigating big tech companies like Facebook and Apple for alleged GDPR violations. But a new annual report from the Ireland Data Protection Commission offers lessons for small businesses as well.

On May 25, 2018, the big day arrived. It was EU General Data Protection Regulation day, when the most stringent data privacy law in the world took effect. And when the day finally came, nothing really happened. It would take months to find out how data protection authorities would enforce the law, how big the fines would be, how it would affect businesses, and other burning questions.

Now, finally, we’re starting to get some answers. Last Thursday, the Ireland Data Protection Commission (DPC) published its first annual report since the GDPR took effect. The Ireland GDPR report covers the period from May 25 to Dec. 31, 2018. It includes many statistics, mainly about how many people are filing complaints and reporting data breaches. But it also consists of dozens of case studies — detailed summaries of incidents, complaints, data breaches, and litigation that offer fascinating insight into GDPR compliance and enforcement.

The big news splash from the report was the fact that Facebook, Twitter, Apple, and Instagram are under a combined 15 investigations for various possible GDPR violations. These range from known security incidents, like Facebook’s token breach, to questions about transparency, the right of access, and lawful basis for processing.

You can read in-depth about these investigations elsewhere. We thought it would be more useful to go over some of the less splashy details in the report, especially those that might be useful to small businesses.

People care, and they will file complaints

The first thing you notice in the report is the sheer number of complaints. There were more complaints in the seven months after the GDPR took effect than in all of 2013, 2014, and 2015 combined. The simple fact is that data privacy grows more important to people with every privacy scandal and data breach. Users are no longer willing to tolerate violations; they know their rights, and they know how to seek redress.

Helen Dixon, the Irish Commissioner for Data Protection, emphasized this fact in her introduction.

People’s interest in and appetite for understanding and controlling use of their personal data is anything but a reflection of apathy and fatalism. … [T]he rise in the number of complaints and queries to data protection authorities across the EU since 25 May 2018 … demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data.

Fumbling an access request will get you investigated

Along those lines, data subjects seem especially concerned about their right to access their data and are frustrated when they can’t. Complaints related to “access rights” represented the largest portion of the total number of complaints the DPC received — 977 out of 2,864.

The right of access is contained in GDPR Article 15. As a data controller, you are required to make it easy for data subjects to ask to see certain information about your data processing activities, including the data you have and the purpose for using it.

In one case study, the DPC said it received a complaint from someone who had asked for a transcript of their customer service call with a multinational tech company. The company had not complied with the request. But as soon as the DPC contacted the company, the complainant received their data, and the case was closed. Though the DPC didn’t explicitly say this, it’s not difficult to imagine a company getting fined for repeated delayed responses to right to access requests.

Most data breaches are the result of accidental disclosure

Data breaches are shockingly common. The DPC received 3,687 data breach notifications during the first seven months of the GDPR. That’s over 16 data breaches reported per day. The vast majority of them were the result of “unauthorized disclosures,” which the DPC defines as the “inappropriate handling or disclosure of personal data, e.g., improper disposal, third-party access to personal data — either manually or online, unauthorised access by an employee.”

These kinds of data breaches often have to do with poor technological or organizational security. For instance, one data breach was the result of someone losing their USB drive, which contained unencrypted personal data of clients and personnel. The DPC identified two failures here: First, the employee should have used encryption. Second, the organization did not adequately supervise the employee regarding its IT security policy on encryption and removing personal data from the network.

Other times, bad luck plays a part, such as when an unencrypted USB fell out of a hole in a damaged mail package.

Hacking, malware, and phishing are preventable

Attacks represented the second-biggest cause of data breaches in the Ireland GDPR report. In one case, someone clicked a phishing link and entered their email credentials on the attacker’s fake website. This GDPR violation could easily have been prevented by using a secure email service, learning to recognize phishing attacks, and enabling two-factor authentication.

As we’ve previously written, there are concrete actions you can take to harden your small business against cyber attacks. Moreover, you can mitigate the threat of attacks by cultivating a cyber security culture in the workplace. The DPC gave a specific recommendation in this regard:

While many organisations initially put in place effective ICT security measures, we concluded that organisations were not taking proactive steps to monitor and review these measures or to train staff to ensure that they were aware of evolving threats. In these instances, we continue to recommend that organisations undertake periodic reviews of their ICT security measures and implement a comprehensive training plan for employees supported by refresher training and awareness programmes to mitigate the risks posed by an evolving threat landscape.

Organizations aren’t keeping good records of data and risk assessments

The report also included some preliminary findings of a recent Global Privacy Enforcement Network survey of Irish organizations. The results appear mixed. Most organizations have appointed a data protection officer and have good policies in place to prevent and respond to data breaches. But they fared poorly when it came to keeping records:

One-third of organisations failed to provide evidence of documented processes to assess risks associated with new products and technology. However, most organisations appear to be aware of the need for this and many are in the process of documenting appropriate procedures.

Worse:

30% of organisations failed to demonstrate that they had an adequate inventory of personal data while almost half failed to maintain a record of data flows.

The very first step of GDPR compliance is to understand what personal data your organization has. (See our GDPR Compliance Checklist for more information.)

The full Ireland GDPR report is well worth a skim if you’re responsible for GDPR compliance in your organization. By identifying where the regulators are focusing their efforts, you can understand where to focus yours.