Dr. Vivienne Me speaking on Dublin Tech Summit 2018

DPC has announced substantial changes in how the DPC will deal with breach notifications going forward

Last updated: 11th May 2022

content

VMGroup talks about the DPC Ireland updates to the regulation.

These updates have been sumarrised below, in addition to highlighting the changes to the new breach notification form.

content

Summary Updates:

The DPC completes the Data Protection Officer enforcement program

The DPC has expanded the program to include the private sector.

The DPC has set a threshold where private sector organisations meeting this will need a DPO. Organisations likely to meet this threshold include private hospitals, out of hours GP services, banking entities, and credit unions.

DPC Handling of Breaches Updates - New Form:

The DPC has put in place a new form for breach reporting. There will no longer be immediate engagement from the DPC, and it will no longer offer guidance on mitigation. The DPC will continue to investigate and determine whether a statutory inquiry is needed. In addition, it was stated that the DPC is going to be stricter with controllers that fail to acknowledge requests from data subjects.

Introductory Questions - Users will be required to confirm whether the breach is likely to result in a risk to the rights and freedoms of natural persons and whether the breach falls under the Law Enforcement Directive.

Your Supervisory Authority - The new published form will guide users to determine if the breach relates to cross-border processing. The user will have to answer questions including details of the controller’s establishments, location of affected data subjects and whether they are "substantially affected", in addition to the nature of the DPC's competence to the subject matter of the breach notification.

About You - Controllers will have to specify the industry sub-sector according to Eurostat NACE criteria. Controllers will also have to specify whether the notifying person or the DPO is the main point of contact for the breach notification.

Details of the Breach - The DPC has included more detailed options in relation to the nature of the breach and for the types of data affected by the breach. This would suggest some forensic investigation would be required to complete the report.

About the Data Subjects - The new form will require the controllers to choose the approximate numbers from a range of bands (1-10, 11-100,...) rather than include a specific number.

Action Taken - The new form requires users to include additional details of technical and organisational security measures including:

  • Measures in place prior to the breach occurring
  • Deficiencies identified
  • Measures taken or to be taken to mitigate the impact of the breach on affected data subjects
  • Measures put in place to reduce the likelihood of re-occurrence

Communication to affected data subjects - If the controller has used a public communication to inform affected data subjects of the breach, the new form requires the controller to explain why it would have involved disproportionate effort to notify data subjects individually.

If you require any GDPR advisory, consulting or assistance, please reach out to our GDPR team who will be able to assist you further. Click here to contact us

This website is using cookies to provide a good browsing experience

These include essential cookies that are necessary for the operation of the site, as well as others that are used only for anonymous statistical purposes, for comfort settings or to display personalized content. You can decide for yourself which categories you want to allow. Please note that based on your settings, not all functions of the website may be available.

This website is using cookies to provide a good browsing experience

These include essential cookies that are necessary for the operation of the site, as well as others that are used only for anonymous statistical purposes, for comfort settings or to display personalized content. You can decide for yourself which categories you want to allow. Please note that based on your settings, not all functions of the website may be available.

Your cookie preferences have been saved.