The Data Protection Commission (DPC) has said that more than 70 public bodies have brought themselves into compliance with a key aspect of the GDPR data-privacy rules after its intervention.
The data watchdog said that it had now completed the most recent stage in its Data Protection Officer (DPO) enforcement programme, which was aimed at improving compliance with article 37 of the GDPR.
Article 37.7 of the GDPR identifies public bodies as among the categories of data controller required to appoint a DPO, and to notify the DPO’s details to the relevant authority.
In the initial phase of the project, the DPC identified 77 potentially non-compliant public bodies from a total of almost 250.
“Following the intervention of the DPC, over 70 organisations brought themselves into compliance, raising the sector’s compliance rate from 69% to near 100%,” the watchdog said.
This year, the DPC also expanded the project to include the private sector, although there is no automatic requirement for non-public-sector organisations to appoint a DPO.
The commission did, however, identify several sectors that were likely to meet the threshold to appoint a DPO, due to the scale and nature of their data-processing activities.
These sectors included private hospitals and out-of-hours GP services, banks, and credit unions.
DPC reviewing decisions
The DPC found that just over 40% of the 24 organisations identified in the health sector had appointed a DPO, but all were now in compliance with the rules, after its intervention.
The data body’s review identified 34 banking entities, and brought the compliance rate up from 74% to 80%. Three organisations have given the DPC reasons for not appointing a DPO, while the remainder are continuing to engage.
Of the 242 credit unions identified by the DPC, just under 30% were in compliance initially. The watchdog now says that 64% are complying with the rules, with 10% in “partial compliance”.
The commission is reviewing the reasons given by the 13% of credit unions that have chosen not to designate a DPO.
“In cases of where the DPC identifies persistent non-compliance, further enforcement measures will be taken, as proportionate and necessary, to ensure compliance with the requirements of the GDPR,” the commission said.