Ireland - The 2016 privacy sweep highlights alarming shortfalls in management of personal data

Ireland - The 2016 privacy sweep highlights alarming shortfalls in management of personal data's Tags

Tags related to this article

Ireland - The 2016 privacy sweep highlights alarming shortfalls in management of personal data

Published 22 September 2016

The Global Privacy Enforcement Network ("GPEN") announced in 2016 that its annual "Sweep" or coordinated online audit would focus on the Internet of Things ("IoT").

The findings of the GPEN in relation to the IoT were published on 22 September 2016. The GPEN is made up of various data protection regulatory authorities across the world, including the Office of the Data Protection Commissioner in Ireland ("ODPC"). The GPEN conducted a review of the ways in which companies producing IoT devices (such as fitness trackers and electricity meters) communicated with their customers. The GPEN's aim was to assess whether companies are keeping users of IoT devices informed of the way in which their devices process and use personal data.

In brief, the report found that 72% of companies assessed failed to explain to customers how to delete their personal information. 68% of companies failed to properly explain how data was stored and 60% of companies failed to adequately explain to customers how their personal data would be processed and stored. In addition, the report found that 38% of companies failed to include easily identifiable contact details for data subjects who might have privacy concerns in relation to their data.

The regulatory authorities involved in the GPEN are now considering what action is to be taken against those companies that were found to be in breach of the legislation. Additionally, the ODPC announced that it is planning to increase its investigative and audit work in this area in 2017 and to work with companies to ensure that their devices are meeting the required standards pursuant to data protection legislation.

The GPEN's findings are a salutary lesson to all organisations producing IoT devices to be aware of their obligations under the Data Protection Acts 1988-2003 and to communicate with customers openly and transparently in regard to the manner in which their personal data will be processed and used.

To see the results of the GPEN's 2016 Sweep and the ODPC's statement in relation to those results click here.

Authors

Rowena McCormack

Rowena McCormack

Dublin

+353 (0)1 231 9628

< Back to articles