Our analysis of the DPC Annual Report: AI’s growing influence

Privacy professionals and a human-led privacy framework are more necessary than ever at a time when AI tools make it easy for individuals to assert their rights under GDPR. As the volume of data protection cases submitted to the DPC  looks likely  to grow, human oversight has a vital role in assessing those claims and deciding what’s valid and what’s vexatious. That’s our immediate takeaway after reading the latest annual report from the Data Protection Commission, where many referrals to the regulator last year involved people using AI to make their submissions.

Another aspect of the newly published edition (PDF) is the sheer volume of reports to the regulator. In 2025, the DPC received 16,160 new cases: a 45 per cent increase compared to 11,091 the previous year. There are a few possible ways to look at this: it could mean there are more privacy and data protection-related issues in actual terms. The increase could also be due to people becoming more aware of their privacy rights, or that the regulator’s role is more widely recognised.

According to the report, most data breaches were not sophisticated cyberattacks. The top three sources were: unauthorised disclosures, such as correspondence being sent to the wrong recipient; incorrect recording of details; or phishing/social engineering scams. The first two of these could be considered accidental rather than malicious.

Human error highlights need for privacy training

An interesting insight from the report is that just over half of all breach notifications were attributable to human error. This underscores the need for organisations to provide adequate privacy training to their staff, in order for employees to understand how personal data should be handled, and to raise awareness of phishing scams.  Public sector organisations and banks made up the top ten number of organisations with data breaches recorded against them in 2025, although private sector organisations still accounted for 49 per cent of all notified breaches. This illustrates that data breaches can occur wherever personal data is involved and straddles the public/private entity divide.

In my experience, a common misconception is that data protection falls under cybersecurity, but the report reminds us that GDPR compliance applies to areas completely separate to cybersecurity. For example, physical documents left lying around, or documents being posted to the wrong address, all contribute to data breaches.

That is not to say that cybersecurity doesn’t have a crucial role to play in maintaining a data protection structure within an organisation. EPrivacy-related breaches were up by 71 per cent on 2024. Over one- third were caused by social engineering and phishing scams, where malicious actors targeted users via SMS to obtain passwords or one-time passcodes.

To combat social engineering and phishing scams, the DPC said it considers Multi-Factor Authentication (MFA) to be a ‘baseline security standard’ for online accounts. Privacy professionals should audit their organisation’s authentication measures and reinforce staff training around basic operational practices, such as verifying envelope contents and email recipients before sending.

Privacy professionals’ pending caseload

October 2025 was the busiest month ever recorded with 1,879 cases logged with the DPC. This, understandably, has had a knock-on effect on response times in dealing with cases. And this brings me back to the major theme of this year’s report. The Irish Examiner’s coverage of the report noted that the Commission is “well on the way to breaching the 20,000-complaint-marker for the full year 2026”. It seems likely that AI’s fingerprints will be over a significant percentage of these submissions, so that is shaping up to be a critical new challenge for privacy professionals.

Members of the public are already availing of AI tools like ChatGPT to draft highly detailed, formal subject access requests and to formulate complaints that are then submitted to the DPC or directly to organisations.

Although AI helps people to exercise their rights, it creates a significant extra burden for data protection teams. Privacy professionals’ workloads could be about to get bigger to cope with a likely increase in complaints or submissions from individuals just because the technology makes it so easy to do so.

The human factor in handling automated complaints

Although it might be tempting for companies to rely on AI tools to filter or manage this extra burden, automation is not the answer here. In my opinion, the growing use of AI highlights the value of, and need for, human intervention. Human experts are essential for understanding the importance of a particular complaint, and tell the difference between a genuinely valid GDPR request and a false complaint or one that’s not based on a true understanding of the regulation. AI-generated requests can be incredibly formal and detailed, and it requires trained privacy specialists to assess them accurately.

As a related note, the report found that the most common issues raised through email and webforms concerned non-responses to Subject Access Requests; concerns relating to the processing of personal data; and issues relating to social media accounts, many of which fell outside the scope of the GDPR. This again demonstrates the importance of companies building a comprehensive data protection framework through policies, processes, and a human in the loop team to effectively assess and manage requests and issues as they arise.

Report card: could do better on SARs

At 140 pages, the full report has plenty of useful material for privacy professionals. Another point that stood out for me was many organisations failing to comply with their obligations under the GDPR, including handling data subject access requests. The DPC also published 39 case studies illustrating common compliance failures.

Based on the report’s figures, there are 4,218 DPOs registered in Ireland (since the report refers to 2025, the current number may actually be higher). The DPC used this year’s edition to remind organisations of their statutory obligations to these professionals and warned that failing to adequately support a DPO is a direct infringement of the GDPR.

In practice, this means DPOs must be given access to necessary financial resources, infrastructure, support staff, and training. If carrying out the role involves wearing multiple hats within your organisation, management must ensure that those other duties don’t give rise to a conflict of interest. Designated DPOs must have the independent capacity to carry out their tasks.

The Data Protection Commission Annual Report for 2025 points to data protection officers and privacy professionals having their hands full, making sure their organisations adhere to the fundamentals of transparency, security, and lawful basis. It also signposts the future for data protection. As AI becomes more prominent, human experts will be a vital asset in evaluating, prioritising, and lawfully responding to an anticipated new wave of incoming complaints.

Fearghal Keyes is a Senior Data Protection Consultant with BH Consulting.

Why get in touch with BH Consulting

BH Consulting is a trusted, independent cybersecurity and data protection consultancy with over 20 years of experience. Whether you need expert guidance on compliance, risk management, or security strategy, our team delivers practical, vendor-neutral advice tailored to your needs.

Let’s start a conversation about securing your business.

cyber ireland 2021 logo
Respect in Security Pledge logo

Areas of interest*