UCD reported 6 cases of personal data breaches to the Commission, including two cases in which an unencrypted USB stick holding personal data was reported as “lost”, according to the Irish Examiner.
This is not the first time that the University’s GDPR compliance has been a cause for concern: in 2021, UCD was fined €70,000 after log-in details of UCD email accounts were posted online.
The Commission had previously instructed UCD to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,” as part of its decision to impose the €70,000 fine. UCD is understood to have addressed the issues raised by the DPC at the time.
The UCD Data Protection website states that the University is “firmly committed to ensuring personal privacy and compliance with the Data Protection legislation, including the provision of best practice guidelines and procedures in relation to all aspects of Data Protection.” In accordance with the GDPR, UCD is required to have a designated Data Protection Officer (DPO). UCD has said that the 6 cases reported to the Commissioner have been closed, and that it has been provided with a list of recommendations to improve controls.
The DPC has recently made national headlines, as concerns over GDPR compliance have affected other major institutions in the country. This includes large multinationals such as WhatsApp, which has been fined €5.5m, having already been fined €225m for similar issues. As reported in the Irish Independent, WhatsApp parent company Meta has been fined €1.3bn over the last 16 months, which includes fines imposed on sister companies Facebook and Instagram.