04 12 2018 Insights Cyber and Data Protection

A New Dawn: Key Takeaways from The ODPC’s Final Report

Reading time: 4 Minutes

Data Ipad1

By Bryan McCarthy and Sarah Slevin
4 December, 2018

The Data Protection Commission (“DPC”) recently published its “Final Report” (the “Report”). Rather than being the last such report we will see, the Report draws a line under the pre-GDPR data protection regime (relating only to the period from 1 January to 24 May 2018) and brings to a close 30 years of the “ODPC”, heralding the new era of the DPC and the increased powers and responsibilities it now bears.[1]


As is unsurprising, much of the content of the Report relates to the preparatory work undertaken by the DPC in advance of 25 May 2018. This work was not just internal to the DPC itself – as is clear from Helen Dixon’s introduction, the DPC was very proactive in helping both organisations and the public to prepare for the GDPR through consultations, awareness-raising and, as a specific example, visiting San Francisco and the Bay Area to meet companies seeking to comply with GDPR in order to understand their concerns and priorities.

A clear priority for the DPC during the period covered by this Report was its internal “GDPR Readiness Programme”, intended to prepare the office to deliver the range of new and expanded functions as a regulator under the GDPR, the Data Protection Act 2018 (the “2018 Act”) and other, related new and future laws. In total, 28 different workstreams focused on each aspect of the DPC’s operations, with the Programme entering its “Implementation Phase” in the run-up to the commencement of the GDPR.

Complaints and Communications

Although it is more difficult to make a direct comparison with previous, full-year reports, the scale of communications with the DPC (and the consequent workload of the office) is not what one might have expected. There were 1,249 complaints received by the ODPC in the period to 24 May 2018, broadly in line with the 2,642 complaints lodged with the ODPC in 2017 and running contrary to previous trends of year-on-year increases in complaints. However, this can likely be explained by a preference amongst data subjects to wait until the GDPR’s introduction before exercising their strengthened rights under the more onerous new legislation.

Nonetheless, examining a breakdown of the nature of the complaints is worthwhile:

Type of Complaint

Number Received

Access rights


Unfair processing of data


Disclosure of data




Direct marketing-related complaints


Use of CCTV footage


Failure to secure data


Failure to vindicate right of rectification


Complaints relating to delisting from internet search results


Retention of excessive data


Inaccuracy of data


Unlawful retention of data


Unauthorised access


Using data otherwise than for a specified purpose


Postal direct marketing-related complaints


Complaint relating to biometric data