This review of the first twelve months of the GDPR presents some statistics on the Irish Data Protection Commission and reports on its enforcement, guidance and consultation actions.

GDPR was implemented in Ireland through the Data Protection Act 2018. The Irish Data Protection Commission (DPC) has taken a proactive approach in respect of its various functions and including running a number of awareness campaigns in the lead up to May 25 2018. The DPC has opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp, Google and Instagram into issues such as large-scale data breaches, legal bases for processing and transparent presentation to users. It has not issued any fines under GDPR to date but that is not expected to remain the position indefinitely.

Between 25 May and 31 December 2018, the DPC received 3,687 data-breach notifications, of which 3,542 cases (96%) were classified as valid data protection breaches: an increase of 27% compared with the number of breaches reported in 2017. The largest number of breaches (85%) were because of unauthorised disclosure.

In January 2019, the DPC launched a large-scale public consultation on the Processing of Children’s Personal Data and the Rights of Children as Data Subjects under the GDPR. The DPC intends to use the responses to produce guidance materials for children and young people, and for organisations that process personal data of children and young people.

The DPC’s budget has increased significantly in recent years and the number of staff is due to increase further this year to meet the increased workloads.