Data Protection Commissioner Helen Dixon is to speak at a data security conference organised by Independent News & Media (INM) on Monday despite her plans to investigate a suspected data breach at the company.

A spokesman for Ms Dixon said that she and other staff from her office still intend to participate as the conference is about EU data rules, the General Data Protection Regulation (GDPR), coming into force on May 25th, and participation was in line with its commitments to build awareness of and preparedness for the new regulations.

Last week another high-profile guest due to speak at the Dublin Data Sec 2018 conference, former RTÉ journalist Mark Little, said he would not participate because he feels it would be “a conflict of interest” in light of the alleged breach.

Ms Dixon announced she intends to investigate the alleged breach after the Office of the Director of Corporate Enforcement disclosed in an affidavit that data was removed from the media company’s premises in October 2014, taken outside the country and “interrogated” by at least six outside companies.

The Independent group had made an earlier disclosure about the matter in 2017, but this did not lead to a full investigation.

“In August 2017, the DPC [Data Protection Commissioner] received a notification from INM under the terms of the Personal Data Security Breach Code of Practice regarding a possible data breach,” a spokesman told The Irish Times on Sunday.

Mandatory notification

“Mandatory notification of breaches is not required under current EU data protection law. It will become law from May 25th, 2018 to notify a breach to a data protection authority where a breach of personal data poses risks to individuals.”

The notification received in August 2017 was targeted towards an issue of off-site and on-site processing of INM data by third-party data processors without a written contract being in place (as required under 2C of the Irish Data Protection Acts), the spokesman said.

The notification did not at that time identify any risks to “data subjects” (ie, staff at the Independent group) arising from what was presented as a technical issue of processing without contract.

“It should be noted that it is an everyday legitimate activity for many companies to use third-party cloud providers and processors and, given the EU data free-flows guaranteed under EU data protection law, it is not significant that processing would occur in the UK as opposed to Ireland.”

Given that the entire matter, the subject of current media reports, is pending investigation, the DPC is still not in a position to state what the facts of the matter are, the spokesman said.

“The notification received from INM on 26th March now provides significant additional detail which has given rise to a scoping exercise on the part of this office in order to commence a targeted investigation.”

In the meantime, he said, the DPC has arranged with INM a contact point to which individuals who are concerned that they have been affected can be directed in order to get answers.

Staff at the Independent group have not as yet been told whether their data has been breached. A meeting with staff is scheduled for the middle of the week.