The DPC completes the Data Protection Officer enforcement program
The DPC has expanded the program to include the private sector.
The DPC has set a threshold where private sector organisations meeting this will need a DPO. Organisations likely to meet this threshold include private hospitals, out of hours GP services, banking entities, and credit unions.
DPC Handling of Breaches Updates - New Form:
The DPC has put in place a new form for breach reporting. There will no longer be immediate engagement from the DPC, and it will no longer offer guidance on mitigation. The DPC will continue to investigate and determine whether a statutory inquiry is needed. In addition, it was stated that the DPC is going to be stricter with controllers that fail to acknowledge requests from data subjects.
Introductory Questions - Users will be required to confirm whether the breach is likely to result in a risk to the rights and freedoms of natural persons and whether the breach falls under the Law Enforcement Directive.
Your Supervisory Authority - The new published form will guide users to determine if the breach relates to cross-border processing. The user will have to answer questions including details of the controller’s establishments, location of affected data subjects and whether they are "substantially affected", in addition to the nature of the DPC's competence to the subject matter of the breach notification.
About You - Controllers will have to specify the industry sub-sector according to Eurostat NACE criteria. Controllers will also have to specify whether the notifying person or the DPO is the main point of contact for the breach notification.
Details of the Breach - The DPC has included more detailed options in relation to the nature of the breach and for the types of data affected by the breach. This would suggest some forensic investigation would be required to complete the report.
About the Data Subjects - The new form will require the controllers to choose the approximate numbers from a range of bands (1-10, 11-100,...) rather than include a specific number.
Action Taken - The new form requires users to include additional details of technical and organisational security measures including:
- Measures in place prior to the breach occurring
- Deficiencies identified
- Measures taken or to be taken to mitigate the impact of the breach on affected data subjects
- Measures put in place to reduce the likelihood of re-occurrence
Communication to affected data subjects - If the controller has used a public communication to inform affected data subjects of the breach, the new form requires the controller to explain why it would have involved disproportionate effort to notify data subjects individually.
If you require any GDPR advisory, consulting or assistance, please reach out to our GDPR team who will be able to assist you further. Click here to contact us