Inquiry into a Consultancy Provider

(IN-20-4-8)

Date of Decision: 24 January 2022

This inquiry was commenced in respect of a personal data breach that the Personal Injuries Assessment Board (‘PIAB’) reported to the Data Protection Commission on 10 December 2019. PIAB is an independent statutory body that deals with personal injury claims. The personal data breach occurred when a Consultancy Provider sent an unencrypted USB storage device, containing personal data to PIAB, despite PIAB expressly stating the data was not to be sent. The Inquiry considered whether the Consultancy Provider had complied with its obligation to implement an appropriate level of security under Article 32 GDPR.

• The decision found that the Consultancy Provider had infringed Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data.

The corrective powers exercised:

• The decision issued the Consultancy Provider with a reprimand in respect of the infringement.

For more information, you can download a copy of the full decision at this link: A Consultancy Provider January 2022 (PDF, 947 KB).