Privacy & Data Protection reports
In the past months, Deloitte Netherlands has conducted extensive research into Data Protection Authorities (DPAs). In the coming weeks we will publish sub-reports based on this research to help you gain more insights. Some key topics we will cover include Data Breach reporting, resources, guidance issued and enforcement actions taken. Keep an eye on our website for our latest reports!
- Reporting a Personal Data Breach
- Reported Personal Data Breaches
- Received complaints
- Guidance issued
Data Protection Authorities (DPAs) are facing busy times. Whilst their primary task is to enforce the application of the GDPR and ensure compliance, the GDPR entrusts the DPAs with a number of additional tasks such as creating awareness and handling complaints. In addition to this, they will need to cooperate with organizations from time to time, for example when dealing with certain high-risk Data Protection Impact Assessments or when a personal data breach is reported.
Because of this crucial role of DPAs, it is important for organizations to not only identify which DPAs they may need to engage with in the future, but also develop knowledge on the characteristics of these DPAs. At Deloitte we understand these needs. We have therefore conducted extensive research into certain key characteristics of the DPAs. The research seeks to paint a detailed picture and provide you with a closer look at factors that may influence a DPA’s way of working.
Part 1: Reporting a Personal Data Breach
The first part of our report focuses on reporting Personal Data Breaches. The GDPR has introduced a duty for all organizations to report certain types of Personal Data Beaches to the relevant Data Protection Authorities. The deadline for reporting is quite strict: only 72 hours can pass between becoming aware of a breach and reporting. We have studied a number of practicalities related to reporting and came to the conclusion that reporting is not harmonized throughout the Union, and that given the strict timelines preparation is key!
Part 2: Reported Personal Data Breaches
The second part of our report presents an overview of personal data breaches reported to DPAs between 2016-2018. It provides insight into the differences between the EU member states and shows that generally there has been a major increase in reported personal data breaches since the GDPR became applicable in 2018. We also observe that, despite these increases, the numbers prove difficult to compare due to the very different ways in which DPAs publish information on reported data breaches.
Part 3: Received complaints
The third part of our report gives an overview of the number of complaints received by the DPAs across the EU in 2018. For some selected countries, it also presents how the number of complaints evolved over the last three years. These numbers provide valuable insights into the level of privacy awareness within the EU and how easy it has become to submit a complaint. It is therefore important that organizations understand the implications complaints may have on their business.
Part 4: Resources
Let’s talk money! How have DPA budgets developed over the past years and how are DPAs staffed? We’ve crunched the numbers for you. Interested in the trends over the past few years and the underlying data? Check out our latest report to see how your DPA is resourced.
Part 5: Guidance issued
Part 6: Enforcement activities