Highlights from the Data Protection Commission’s first annual GDPR report

The DPC (Data Protection Commission) published its first annual report under the GDPR covering the period 25 May to 31 December 2018.

The report highlights a number of interesting statistics and year-on-year comparisons, most notably:  

  • 2,864 complaints received, bringing the total for 2018 to 4,113 complaints – a 56% increase on 2017. 
    • The category “Access Requests” was the highest complaint type received by the DPC – 33%

“The rise in the number of complaints and queries […] demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data,” said Data Protection Commissioner Helen Dixon. 

  • 3,542 valid data security breaches were notified to the DPC, bringing the total for 2018 to 4,740 valid notifications – a 70% increase on 2017. 
    • 85% of these breaches related to unauthorised disclosures.
  • The DPC was advised of 900 data protection officers.
  • 15 statutory investigations were opened in relation to the GDPR compliance of certain technology organisations.
  • Between 25 May and 31 December 2018, the DPC received 136 cross-border processing complaints through the One-Stop-Shop mechanism, which were lodged by individuals with other EU data protection authorities.
  • DPC staff numbers increased to 110 at the end of 2018 (85 at the end of 2017).

Commenting on the GDPR’s impact, Dixon said: “Although we are still in the stage of having to bust some myths and misunderstandings that have built up around the GDPR, we feel very optimistic about the improvements we will see in Ireland in personal-data-handling practices over the next few years.”

“We look forward to industry embracing codes of conduct and raising the bar in individual sectors in terms of standards of data protection and transparency, which is why we have launched a large-scale consultation around the processing of children’s data, the results of which will be reflected in a best-practice guidance note for industry.” 

Data processing activities 

In 2018 the DPC opened inquiries into the data processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram. The results of these inquiries should arrive later this year, and the DPC hopes that similar organisations take note to better implement the GDPR’s principles. 

Children’s personal data 

The first public consultation on the processing of children’s personal data and the rights of children under the GDPR was launched in December 2018. In the second stream, launched earlier this year, the perspectives of children and young people in the classroom are being sought. Submissions are open until 5 April 2019. 

Towards the end of 2018, the DPC began a project to develop a five-year DPC regulatory strategy, which will include external consultation during 2019.

There are a number of case studies throughout the report, which provide an awareness of the DPC’s approach in relation to numerous data protection obligations. 

If you’d like to know more about how the Annual Report will affect you or your organisation in 2019, please get in touch.

Are you GDPR compliant? 

Do you think you have everything in place to meet the GDPR’s requirements when a data breach happens? Or are you still figuring out what needs to be done? 

Either way, you can get the answers you need by taking our self-assessment.

This quick survey will ask you a series of simple questions about your data protection methods. We’ll score you on your setup and advise you on any weaknesses that we find. 

Completing the questionnaire also gives you access to a tailored summary of the steps you must take to prepare for data breaches and comply with the GDPR. 


Prepare today for the cyber threats of tomorrow. How secure is your business? Take our brief self-assessment.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.