Data Protection Commission warns of dangers of ‘negative outcome’ from court cases

Regulator cites issue in latest risk register which identified eight challenges

The Data Protection Commission (DPC) has warned of the risk of getting taken to court and how a “negative outcome” for it could damage its reputation and drain its resources.

The DPC also raised concerns over a potential failure to secure and retain funding for its work and the challenges posed by a rapid expansion in its staff numbers.

The commission – which has previously admitted to being “acutely strained” by data protection cases involving giant multinationals – identified eight separate challenges in its latest risk register.

The risk that scored most highly was difficulty in securing enough Government funding and getting sanction for “key items of expenditure”.


The register said this would affect its ability to achieve strategic objectives and meet its obligations under law.

Also deemed of higher risk were difficulties stemming from a rapidly expanding workforce, with staff numbers more than doubling over the past five years.

This risked putting strain on its accommodation, internal systems and strategies according to the register, which was released under the Freedom of Information Act.

The document warned of the challenges of recruiting and then retaining key staff with the corporate and regulatory knowledge to carry out its role.

The DPC said this was being tackled through targeted recruitment for general and specialist roles and that it was developing in-house human resources capacity and expertise.

It said: “Analysis at senior management level to forward plan staffing requirements across all levels and in each area to meet strategic objectives [is also taking place].”

The risk of losing a high-profile court case was flagged in the register both because of its “draw” on resources and the impact that failure would have from a “reputational perspective”.

The DPC said it had robust procedures in place to mitigate negative outcomes along with a legal services contract for complex cases.

It also recommended “recruitment of senior specialist staff to the legal unit to increase its capacity and in particular to create a senior litigation oversight role”.

The risk register warned as well of failures to effectively communicate its work leading to “misperceptions” about its effectiveness.

It said this had the ability to cause reputational damage both within Ireland and internationally because of its broad role in monitoring “Big Tech”.

The DPC said controls in place included ensuring “proactive communications” about its work here and abroad, as well as regular involvement in speaking events and other public engagements.

The register added: “Protocols [are] in place surrounding release of information regarding the work of the organisation across all levels.”

Also identified in the document was the risk of failing to put in place effective governance that could lead to missed targets and ineffective control of projects.

Asked about the register, the Data Protection Commission said it had nothing to add.