What Can We Learn from the Data Protection Commission’s 2022 Annual Report?

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on Digital Trust, Privacy, Information Security, Supply Chain security, and Environmental, Health, and Safety topics.

March 10, 2023 - The Data Protection Commission (DPC) kept busy in 2022. As the European 'supervisor' of Big Tech organizations, and the Lead Supervisory Authority for many other companies, the DPC issued two-thirds of all General Data Protection Regulation (GDPR) fines across the EU and UK, surpassing €1 billion. Detractors suggest that the DPC should do more to govern Big Tech, but this shift in GDPR enforcement activity signals a warning for corporations to not disregard it.

Looking beyond the headline fines for Meta, DPC’s 46-page Annual Report provides an insight into the strategic priorities of the DPC, and the problem areas that persist for organizations processing personal data in compliance with the GDPR. The findings from the 17 large-scale inquiries are also worthy of some scrutiny.

Notable highlights include the One-Stop-Shop Cross-Border Statistics report, which sought to provide much-needed clarification as to how businesses operating in multiple EU member states engage with supervisory authorities and determine where they have a ‘main establishment.’

Misdirected correspondence (post and email) accounted for 62% of breaches reported to the DPC, with the highest number of breach notifications coming from public sector bodies and banks, and insurance and telecom also featuring heavily. The private sector accounted for 52% (3,014), the public sector 44% (2,568), and the voluntary and charity sector 4% (246).

Amongst the 17 large-scale inquiries, there are some common themes linked to the absence of basic privacy principles that should be embedded as a core part of a privacy framework. These include the failure to:

  • Notify breaches to the DPC and to data subjects.
  • Designate a DPO.
  • Identify the correct legal basis for processing.
  • Minimize data collection.
  • Secure and protect different categories of data appropriately.
  • Fulfil data subject rights requests and transparency requirements.
  • Assess risks of processing data and using new technologies.
  • Implement data protection by design and default.

Through a combination of information security and privacy controls aligned to established standards such as ISO 27001, ISO 27701, and emerging standards such as ISO 31700, a business can embed data protection by design and default within all systems and services, thereby avoiding these data protection pitfalls, safeguarding customer and employee data, maintaining and improving digital trust within an organization, and minimizing the chances of being the subject of a DPC inquiry in 2023 or beyond.

Read more insights from Matthew Goodbun in the blog 'Top takeaways from the new Data Protection and Digital Information (No.2) Bill'.

For more insights on other Digital Trust, Privacy, Information Security, Supply Chain security, and Environmental, Health, and Safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.

Matthew Goodbun

Senior Privacy Consultant, Digital Trust Consulting, BSI

Matthew is a well-qualified Data Protection and Privacy Professional, with extensive knowledge of global Privacy compliance and Data Protection matters. A skilled and credentialled practitioner, his program management, compliance expertise, and knowledge of global privacy laws means he is well positioned to translate regulatory compliance obligations into meaningful business context.

Matthew supports his clients to highlight the commercial benefits of prioritising privacy through proactively building and maintaining digital trust and embedding privacy by design and default across all products, services, functions, and jurisdictions.