The Commissioner for Data Protection, Helen Dixon, has published the first annual report (Report) of the new Data Protection Commission (DPC) covering the period 25 May to 31 December 2018.

The comprehensive report details the work of the DPC following the commencement of the General Data Protection Regulation (GDPR) on 25 May 2018.

Facts and figures

Some of the interesting facts and figures in the Report include:

  • 2,864 complaints were received in the period 25 May 2018 to 31 December 2018. In total, 4,113 complaints were received in the 2018 calendar year representing a 56% increase on the total number of complaints (2,642) received in 2017.
  • In the same period, 3,542 valid data security breaches were notified. In total, 4,740 valid data security breaches were notified in the 2018 calendar year representing a 70% increase on the total number of valid data security breaches (2,795) recorded in 2017.
  • 32 new complaints were investigated in respect of various forms of electronic direct marketing: 18 related to email marketing; 11 related to SMS (text message) marketing; and 3 related to telephone marketing. A number of these investigations concluded with successful District Court prosecutions by the DPC.
  • The first stream of a public consultation on the processing of children’s personal data and the rights of children as data subjects under the GDPR was launched on 19 December 2018. This consultation closed on 1 March 2019.
  • 900 notifications of the appointment of Data Protection Officers were received by the DPC.
  • Staffing numbers increased from 85 at the end of 2017 to 110 at the end of 2018.

Technology company investigations

During the period 25 May 2018 to 31 December 2018, the DPC commenced 15 investigations in relation to the GDPR compliance of certain technology companies, including Facebook, Twitter, Apple, Instagram and WhatsApp. The areas of investigation included:

  • In the case of WhatsApp, whether the company has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using its platform.
  • In the case of Apple, examining whether the company discharged its GDPR transparency obligations in respect of the information contained in its privacy policy and online documents regarding the processing of user's personal data
  • In the case of Facebook Ireland, whether the company has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users and examining Facebook’s compliance with the GDPR’s breach notification obligations.

Regulatory strategy

The DPC is expected to shortly launch a consultation with stakeholders to feed into the development of its five-year regulatory strategy. It is expected that this strategy will set out the DPC’s regulatory priorities and give insight and greater certainty to organisations and individuals on how the DPC intends to regulate.