Data breach reports decreased while fines increased

25th June 2020

  • OSS decisions to be published by the EDPB
  • €28,000 fines by the IDPC in the first 6 months of 2020
  • Most of local breaches caused by employees’ error
  • Cyber-attacks are very sophisticated
  • Policies and Training are found to be missing

The IDPC will, as from this year, publish a summary of the cases it has investigated backdated from January 2020. This has been announced by the Deputy Information and Data Protection Commissioner, Mr Ian Deguara, during the GDPR – Two Years On conference organised by Advisory 21 and 21 Law held online on the 24th June 2020. The reports, which will be made available through a website being launched during the coming month, will include a summary of the complaint, the decision taken by the commissioner and the corrective action, such as a warning, a reprimand, an order to stop processing, a temporary ban, and fines depending on the case. Human resources permitting, this register might also include the cases investigated before January 2020 too.  

Ian Deguara said that during the last year the IDPC imposed a total of €26,000 in fines. In the first six months of 2020 a total of €28,000 fines have already been imposed with ongoing investigations on serious investigations which in all probability will incur dissuasive fines.  

In the meantime, a day before the conference was held, the European Data Protection Board (EDPB) gave a heads up to the Supervisory Authorities that it will be publishing the One Stop Shop (OSS) decisions in a redacted format. It is expected that this register will include 5 decisions taken by the IDPC since it was the lead supervisory authority in the cases, three of which included a fine.     

The number of data breaches reported to the IDPC between the 25th May 2019 and 25th May 2020 dropped from 147 report notifications in the previous 12 months to 97. The trend is that the numbers are going down, such trends were not reported only in Malta but in most EU Member States. Mr Deguara, said that this is positive because it means that the DPOs are doing their work. This is because in the first year a good number of breaches which had been reported did not need to be reported. It was evident that many controllers or their appointed DPO were failing to conduct a risk assessment following a suspected breach. Through such an assessment the controller should determine whether there were any risks to the rights and freedoms of the data subjects. It is only if there is such a risk that the supervisory authority should be notified. He emphasised that controllers should have an incident response plan and data breach report procedures in place. Through investigations carried out in the last months, the IDPC has seen that such procedures are not in place at most of the controllers.

Most data breaches reported to the IDPC to date are due to human error, employee errors, such as sending emails in copy and not in BCC or documents to the wrong recipients. Ian Deguara attributed this high incidence of breaches due to the lack of procedures and employee training in place. He remarked that following the hype brought around 2 years ago, GDPR training has gone down. “This is not good” said the Deputy Information Data Protection Commissioner. He further stressed that “Controllers must have the policies in place and must continue training the staff, particularly the DPOs.”

There is also another chunk of data breaches which relate to external attacks coming from professional hackers. He described these attacks as very sophisticated with knowledge on what to do and where to attack. In this regard Mr Deguara reminded controllers that in terms of GDPR the responsibility falls squarely on them even if they engage third party processors. He encouraged controllers to review the agreements with their processors and make sure that their systems are subjected to vulnerability tests such as penetration testing. Cyber security should be taken seriously.

Ian Deguara encouraged controllers to go through the EDPB guidelines on processing of personal data through video devices, particularly on the retention period of such data.