Ireland: Zero Personal Data Breaches Is Not The GDPR Standard

The Data Protection Commission (the "DPC") recently released a decision regarding Ark Life Assurance DAC ("Ark Life") in which the DPC found that no infringement had occurred (the "Decision"). Although the Decision is specific to its facts, it gives a welcome indication of what the DPC considers constitute appropriate technical and organisational measures in respect of the security of processing personal data.

The DPC's inquiry related to personal data breaches that Ark Life had notified to the DPC between December 2018 and May 2021 (the "Inquiry"). The personal data breaches primarily concerned the unauthorised disclosure of personal data due to address inaccuracies and postal and email issues. The Inquiry examined whether Ark Life had discharged its obligations in connection with the subject matter of the personal data breaches and considered whether any provisions of the Data Protection Act 2018 and/or the GDPR had been contravened.

The Inquiry focused on Ark Life's

• technical and organisational measures in place to ensure the security and accuracy of personal data; and
• associated policies and procedures in place to identify any risks to data subjects and the organisational and technical measures in place to address those risks.

The Commissioner determined that the key issue in which she had to make a decision was whether Ark Life had infringed Article 32(1) GDPR.

Security measures

As per Article 32(2) GDPR, the Decision recognises that the level of security that controllers and processors are obliged to implement must be appropriate to the risks posed to the rights and freedoms of data subjects by the processing of their personal data.

The DPC considered the measures Ark Life had put in place to address data processing risks. Such measures included the review and implementation of data protection policies and procedures, compliance and risk reviews and oversight measures for processing personal data through Ark Life's email and postal systems.

The DPC also considered the data protection training that Ark Life had implemented. The Decision notes that Ark Life introduced compulsory data protection training and that refresher training on personal data breaches was also delivered. This refresher training was designed to address the root causes of personal data breaches examined by the DPC in the Inquiry.

Of note to controllers will be the DPC's welcome finding that "Article 32(1) GDPR does not require Ark Life to ensure that zero personal data breaches occur, nor does it impose a strict liability standard on controllers where a personal data breach does occur". The DPC noted that the required standard to be met by controllers is not a "static concept" and must be continuously re-evaluated in light of the risks posed by the processing.

The Decision noted that the repetition and accumulation of personal data breaches in a particular segment of a business is indicative of an increased risk profile and the controller or processor is required to take steps to reduce such risk. Helpfully, the DPC also found that "the quantum of personal data breaches, in of itself, is not a basis for finding an infringement (or lack of an infringement) of Article 32(1)."

Finding

The DPC held that the security measures implemented by Ark Life were appropriate to the risks associated with the processing. The DPC considered that it was "notable" that although the personal data breaches were of various natures, Ark Life had specific policies in place which contained guidance on how to minimise such risks. The Decision also notes that Ark Life continuously re-evaluated the procedures it had implemented to reduce incidents of unauthorised disclosure of personal data.

In respect of training, the DPC found that Ark Life's data protection training programmes met the requirements of Article 32(1) GDPR. The DPC noted that all staff must undergo training, that Ark Life also provided enhanced data protection training on areas most susceptible to personal data breaches and that the training was continuously tailored to cover identified issues and to incorporate process changes.

The Decision is similar to another recently released decision in which the DPC found that Allianz plc had complied with its obligations under Article 32(1) GDPR. Notably, the Decision is in contrast to a number of other DPC decisions including its March 2022 decisions concerning Bank of Ireland Group plc and Meta Platforms Ireland Limited. These decisions also relate to personal data breaches and the DPC found in those decisions that the technical and organisational measures implemented by the respective controllers were not appropriate to the risk presented by the relevant processing.

The Decision is a timely reminder to organisations to ensure that their technical and organisational measures are appropriate to the risks posed by their data processing operations and to ensure that such technical and organisational measures function effectively in practice. As the DPC stated in the Decision, the standards required to be implemented by controllers and processors are not static and these should be continuously re-evaluated. Controllers should pay attention to the DPC's findings in the Decision when they are considering their own operational and governance arrangements.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.