First Annual Report from the DPC

first annual reportThe first annual report from the Data Protection Commission, under the auspices of the GDPR has just been released. Have you read it yet? It’s only 104 pages and unless you are a privacy nerd (like me) you may find it tough going. Truth be told, I struggled to stay fully focused on it as I read through it.

Surely this isn’t the first annual report?

The office of the Data Protection Commissioner has been around for many many years and have issued many many annual reports. When the GDPR came along on 25th May, the office was renamed to be the Data Protection Commission. This report (which you can read here) is their first report covering the period 25th May – 31st December 2018.

Due to the fact that there are investigations still going on from before 25th May 2018, under the previous legislation, the report shows two sets of figures. This post will concentrate on the GDPR figures.

What are the highlights?

There were nearly 2,000 complaints made. The top 10 of these accounted for 94% of all complaints. They are:

Top 10 GDPR complaints 2018

Issues around access rights was also the number 1 complaint (39%) under the previous legislation, so this is the most important area that a business or organisation should get right. I’m a little surprised by the complaints under Right of Rectification. That is such a simple one to get correct, why were there 30 complaints? ?‍♂️

Data breaches are on the rise.

There were nearly 3,700 data breaches reported. 85% of them were in the category of unauthorised disclosure which wasn’t really surprising.

Data breaches 2018

It’s interesting to note that there were 226 incidents (6%) which related to paper records. I actually think that figure should be a little bit higher, as I suspect people don’t consider losing or poorly disposing of paper records to be a proper data breach.

What about the Facebook problems reported last year?

They are in there too. There are 15 Statutory Inquiries into multinational technology companies. 10 of these inquiries relate to Facebook (7), or Facebook owned companies (WhatsApp 2 and Instagram 1). Of those 10 complaints 4 related to Legal Basis for processing and 3 relate to the data breach reported in September 2018.

The other companies that had inquiries ongoing are Apple with 2, Twitter 2 and LinkedIn 1.

Was there anything else interesting in the report?

Well yes there was. It’s to do with how the DPC acted when dealing with some of the complaints they came across. There were a few case studies provided (pages 24-26). The DPC handled these without the need to impose sanctions, by making the data controller aware of their failings and providing ways to rectify the situation.

What was also interesting was where complaints had come in about data controllers, who had been investigated previously by the Office of the Data Protection Commissioner. In these cases, the DPC prosecuted them in court and had financial penalties applied (pages 64-67). These cases were taken under previous legislation, so the sanctions were small enough. But this shows that if you, as a controller, come to the DPC’s attention multiple times, they will take a dim view of your behaviour.


There was a lot more to this first annual report than what I covered above, but for most businesses, these are the items that matter.

If you would like to avail of a free 1 hour consultation to find out what you need to do to prepare your business for the GDPR, then please send an e-mail to and somebody will get back to you.