The Data Protection Commissioner ("DPC") has published her Annual Report for 2017 (the "Report"). The Report reviews the DPC's activity in 2017 and sets out her priorities for 2018. Some highlights of the Report include:
The total number of complaints received by the DPC was up 79% from 2016 to 2,642 and the total number of valid data security breaches was up 26% from 2016 to 2,795; The Office of the DPC conducted 91 audits / inspections over the course of 2017 on a range of organisations, from large multinationals to public hospitals and SMEs; and The DPC was party to a number of proceedings before the Irish courts in which judgment was delivered in 2017, most notably DPC v Facebook and Schrems. The Report contains details of the DPC's engagement with the public, organisations and other European data protection authorities over the course of 2017. It describes the DPC's preparatory efforts for the General Data Protection Regulation ("GDPR"), which comes into force on 25 May 2018.
Preparing for the GDPR
Unsurprisingly the DPC's office is putting a sizable effort in preparing for the GDPR. 2017 saw a significant increase in the DPC's budget to 7.5 million, and the budget for 2018 is further increased to 11.7 million. The DPC now one of the most highly-resourced national data protection authorities in the EU.
In 2017 the DPC established a dedicated GDPR Awareness and Training unit, with responsibility for driving the DPC's GDPR awareness activities. The DPC also launched a GDPR micro-site aimed at providing a central repository of guidance to organisations. The DPC acted as the Article 29 Working Party's "lead rapporteur" with responsibility for the drafting and preparation of the Guidelines on Transparency under Regulation 2016/679.
Looking Ahead to 2018
The Report describes the DPC's main goals for 2018, which include:
Building the capacity and capabilities of the DPC's office through securing appropriate resources and concluding work on developing structures, processes and systems; Working with European and international data protection authorities through contributing to work of the Article 29 Working Party, engaging with the European Data Protection Board and promoting bilateral cooperation and information sharing; Driving better data protection awareness and compliance through strategic consultation with public and private sector organisations, particularly in areas of highest risk and large-scale systemic data processing...