The firm surveyed attendees at its recent ’ Data Privacy In-House Counsel Masterclass’ event, which took place at The Marker Hotel in Dublin and attracted 200 in-house lawyers from both the public and private sector.

Brian Johnston, privacy and data security partner, said: “The results show that organisations are very conscious of their breach notification obligations and take them seriously. The volume of notifications does not necessarily mean organisations are not complying with their obligations to have good security in place.

“While the recent Data Protection Commission annual report showed a 12 per cent decrease in notifications from 2021 to 2022, on the whole, organisations are reporting far more than they were in 2018, when the GDPR came into force.

“Our advice to clients is that you can’t prepare for every security incident, but you can take steps now to ensure you are compliant with your security obligations if an incident does occur.”

Philip Nolan, partner and head of privacy and data security, said: “In the five years since GDPR came into force, we have seen consistent regulatory activity, as well as continued innovation around the use of personal data. New EU rules further tightening the use of data and technology are also on the horizon.

“This event is intended to bring in-house lawyers together to discuss the evolving data privacy landscape, and to arm them with the necessary knowledge to navigate this complex terrain.”

The survey found that more than a quarter (26 per cent) of organisations have not updated their privacy policy since 2021.

Oisín Tobin, privacy and data security partner, said: “This is significant because in September 2021 there was a major Irish Data Protection Commissioner decision finding that privacy policies should be much more prescriptive in terms of the level of detail they should contain. Most privacy policies adopted before this date are unlikely to align with regulatory expectations.”

Mr Nolan added: “There is quite a lot of non-compliance across privacy policies in the market and it is quite likely that if you have not revamped your policy in the last two years, it is not compliant.

“This is a real and significant risk area and we are working with many of our clients to update their privacy policies in the light of the DPC’s consistent focus on transparency when it comes to enforcement.”

The survey also revealed that 28 per cent of respondents do not have policies or procedures in place to deal with subject access requests from employees.

Melanie Crowley, partner and head of employment law, said: “It is really important that employers know and are transparent about what employee data they collect and retain, why they collect and retain it, where they keep it and for how long data will be retained.

“On a practical level, employers should (1) review their employee privacy notices to make sure they are up to date, relevant and comprehensive, (2) be careful what is written down about employees and (3) have internal processes and guidance — not generic guidance, but meaningful, practical guidance — on dealing with subject access requests from employees.

“This will enable efficient and consistent responses to subject access requests from employees. Good housekeeping makes for smoother responses to subject access requests from employees and mitigates the risk of complaints by employees to the DPC.”

Robert McDonagh, privacy and data security pratner, added: “It is prudent for employers to operate on a working assumption that subject access requests will be escalated to the Data Protection Commission — 42 per cent of complaints to the DPC last year related solely to access requests.”