This article accompanies Hour 1: Global Privacy Law Updates in our full-day CPD programme on XpertAcademy. Completion of the full one-hour session, including the related learning materials, contributes to the one-hour CPD certificate issued for that session. You can access the course here: CPD Event A: Full-Day Regulatory Privacy Training.

The Data Protection Commission’s Annual Report for 2025 is not only a record of regulatory activity. For DPOs, privacy teams, legal teams and senior leadership, it is a useful signal of where privacy governance is becoming harder to explain.

The headline figures are substantial. The DPC received 16,160 new cases from individuals in 2025, a 45% increase on 2024. It concluded 11,734 cases during the year, concluded 208 valid cross-border complaints as EU or EEA Lead Supervisory Authority, received 6,521 valid breach notifications, and imposed administrative fines totalling EUR 530,773,000.

Those numbers matter. But the more useful question for organisations is not simply whether enforcement is increasing. It is whether the organisation can explain its own decisions, evidence, ownership and escalation when a complaint, breach, AI concern, subject access dispute, transfer question or children’s data issue becomes live.

That is the theme running through the 2025 report. Privacy work is becoming more connected, more operational and more evidence-dependent. The DPO function is no longer judged only by whether policies exist. It is judged by whether the organisation can show how privacy decisions are made, reviewed, recorded and improved when real pressure arrives.

This article is general guidance, not legal advice. It is intended to help DPOs, privacy teams and senior stakeholders use the DPC’s 2025 report as a practical governance prompt.

The headline is complaints, but the deeper issue is explainability

The DPC’s 45% increase in new cases is a striking figure. It means more individuals are bringing concerns to the regulator, and it means privacy teams should expect more scrutiny of how organisations respond to complaints, access requests and disputed decisions.

The DPC also noted that many of the cases received involved the use of AI by people making complaints, which added to the volume and complexity of material presented. That point is easy to miss. It suggests that privacy complaints are no longer just increasing in number. They may also be arriving with more documentation, more technical framing, more generated material, and more complex narratives.

For organisations, that changes the practical standard of readiness. A weak response is not only one that misses a deadline. It may also be a response that cannot separate fact from assumption, cannot explain why a decision was made, or cannot identify who owned the issue internally.

In practice, DPOs and privacy teams should read the complaints figure as a governance prompt. If a complaint arrived tomorrow, could the organisation quickly find the policy, the decision record, the system owner, the training evidence, the vendor position, the DPIA, the breach assessment or the DSAR log? Could it explain what happened without rebuilding the history from scattered emails?

The organisations that cope better with complaint pressure tend to have a live evidence discipline. They do not wait until a regulator asks for information before trying to reconstruct the story.

AI is now part of ordinary regulatory pressure

AI appears in the DPC’s 2025 report in several different ways. The report refers to the growing scale and complexity of AI processing. It records the DPC’s continued GDPR work on the training of generative AI models by large technology firms based in Ireland. It also notes new inquiries, including one into the use of EU or EEA user data for generative AI model training by X Internet Unlimited Company.

The practical point is that AI is no longer a specialist side-topic. It is part of ordinary privacy governance. AI can appear in complaints, DPIAs, vendor reviews, DSARs, breach analysis, transparency notices, international transfer assessments, children’s services and board risk discussions.

That creates a risk for organisations that still treat AI governance as a separate project. A policy on AI use may help, but it will not be enough if live AI use cases are not connected to data inventories, DPIAs, supplier evidence, access controls, retention rules, human review, logs, prompt and upload practices, model improvement terms, and escalation routes.

For organisations applying that DPC signal to their own connected AI governance, this is especially important for agentic tools and connected AI systems. Where AI functionality can access repositories, create outputs, query systems, remember user context, use plugins, call tools or trigger workflow steps, the privacy question is not only "what model are we using?" It is also "what information can the system reach, store, infer, reuse or expose?"

That matters for the DPO because the accountability record needs to cover the whole use case. If the organisation relies on a vendor’s general statement that personal data is not used for model training, but does not understand logging, retention, retrieval sources, memory settings, connector permissions or human review, the governance record may look better than the actual control environment.

The DPC’s 2025 AI focus should therefore prompt a practical check: are AI use cases governed as live processing activities, or are they being handled as technology purchases with privacy added late?

Breach notifications fell, but breach evidence still matters

The DPC received 6,521 valid breach notifications in 2025, a 16% decrease on 2024. At first glance, that reduction may seem reassuring. The report still gives organisations a very practical warning: almost half of valid breach notifications arose from correspondence being sent to the wrong recipient.

That is not exotic cyber risk. It is ordinary operational weakness. Misdirected post, misdirected email, incorrect attachments, wrong portal permissions and manual handling errors remain serious sources of privacy exposure.

The DPC’s 2025 enforcement activity also shows why breach evidence matters. In the City of Dublin Education and Training Board case, the DPC found infringements relating to security, breach notification and communication to affected individuals. The breach affected approximately 13,000 people and involved data including identifiers, contact details and special category information. The DPC’s findings included failures around appropriate security measures and delay in notifying both the regulator and affected individuals.

For DPOs and leadership teams, the lesson is not only that breaches must be reported when required. It is that the organisation needs a clear evidence file showing what happened, when it was detected, what was known, what was unknown, what containment was taken, how risk was assessed, whether notification was required, and what changed afterwards.

Good breach governance should be boring in the best possible way. There should be a route that staff understand, an owner who can coordinate privacy and security input, a decision log that survives later scrutiny, and a method for tracking lessons learned to closure.

If the same wrong-recipient incidents keep happening, the issue is not just breach response. It is control design.

DSARs remain a practical test of privacy maturity

Subject access requests and complaint handling continue to show whether a privacy programme works in real life. The DPC’s 2025 report includes cases where organisations needed to demonstrate how access rights were handled, including searches, redactions, restrictions and explanations.

One useful pattern from the report is that the DPC does not expect every disputed access request to result in full disclosure of everything. Organisations can sometimes rely on restrictions, exemptions or balancing exercises. But the record has to be good enough. The decision has to be explainable, and the organisation must be able to show why it took the position it took.

That is where many DSAR processes fail. The legal analysis may be sound in theory, but the operational record is thin. Searches are not documented clearly. Exemptions are applied without enough explanation. Redactions are inconsistent. Business teams do not recognise rights requests when they arrive through ordinary service routes. Customer-facing staff are not trained to escalate. The DPO is brought in only after delay has already created the complaint.

The DPC’s case material reinforces the need for practical staff training and documentary evidence. A DSAR process should not depend on one privacy person remembering where everything sits. It should be a repeatable process with clear ownership, search records, escalation points, exemption reasoning and quality review.

For senior teams, DSAR performance is a useful proxy for privacy maturity. If the organisation cannot reliably find, assess and explain personal data in response to an individual, that usually tells you something about the wider control environment.

Children’s data is now a joined-up governance issue

Children’s data remained a major theme in 2025. The DPC’s annual report refers to work on age assurance, the cooperation agreement with Coimisiún na Meán, a joint statement on children’s safety and personal data online, and the wider "Pause Before You Post" campaign on sharenting.

The DPC also recorded a new inquiry into the physical safety and security of children’s health records at Children’s Health Ireland at Tallaght University Hospital. That sits alongside the wider regulatory focus on children’s online safety, age assurance and child-centred transparency.

The practical point for organisations is that children’s data is not a narrow privacy notice issue. It can involve product design, security, transparency, age assurance, parental roles, safeguarding, profiling, behavioural design, online safety, data minimisation, retention and DPIA discipline.

Organisations that process children’s data should be able to show how the interests and rights of children are considered in the design and operation of the service. That means more than saying "children are vulnerable data subjects" in a policy. It means showing that the organisation has tested whether explanations are understandable, whether data collection is proportionate, whether default settings are appropriate, whether age assurance is defensible, and whether staff understand escalation routes.

The 2025 report gives a strong signal that children’s data will remain an area where privacy, safety and digital regulation overlap. That overlap needs clear ownership, because otherwise the work falls between privacy, safeguarding, product, education, marketing and technology teams.

International transfers and BCRs are still governance work

The DPC’s 2025 report also keeps international transfer governance firmly in view. The TikTok transfer decision was the largest fine recorded in the report, with EUR 530 million imposed in relation to transfers of EEA user data to China and corrective measures ordered.

The report also records the DPC’s work on Binding Corporate Rules. In 2025, the DPC acted as lead reviewing supervisory authority for 13 BCR applications from eight companies, and as co-reviewer for other supervisory authorities on nine BCR applications from six companies.

For multinational organisations, this matters because transfer governance is not only a contracting exercise. Standard Contractual Clauses, transfer impact assessments, intragroup agreements, supplementary measures and BCR programmes all depend on operational facts. Who sends what data where? Which entities receive it? Which vendors, subprocessors, support teams or group companies can access it? What onward transfers are possible? What local law or government access risks have been assessed? What technical, organisational and contractual controls are actually in place?

The lesson from the DPC’s 2025 report is that transfer governance must be connected to the live operating model. A central template is useful, but it will not carry the work if business teams do not understand when a new transfer is created, when a vendor change matters, or when AI, support, hosting or analytics arrangements alter the risk.

This is also where the DPO model matters. A DPO or privacy lead who is not brought into procurement, system change, AI adoption, group data sharing or international operating-model decisions will struggle to evidence effective oversight after the fact.

What leadership should ask now

The report gives senior teams a practical opportunity to test whether privacy is operating as a live governance function or as a set of documents.

DPC 2025 signal Leadership question Evidence to look for
Complaint volumes increased sharply Can we explain contested decisions quickly and calmly? Complaint logs, DSAR records, escalation notes, decision records and ownership maps.
AI is increasing complexity Are AI use cases governed as processing activities, not just tools? AI use-case register, DPIAs, vendor evidence, logging and retention review, human oversight records.
Wrong-recipient breaches remain common Are ordinary administrative controls reducing repeat incidents? Breach trend analysis, correspondence controls, staff training, quality checks and closure of corrective actions.
Children’s data remains prominent Have we tested children’s privacy in design, language and default settings? DPIAs, child-friendly transparency, age assurance rationale, safeguarding links and product review records.
Transfers and BCRs remain active Can we explain group, vendor and international data flows? Transfer maps, SCCs, TIAs, supplementary measures, intragroup governance and BCR readiness evidence.

These questions are not only for the DPO. They are board, audit, legal, risk, procurement, product and operations questions. The DPO can advise, challenge and monitor, but the organisation has to carry the operating model.

What this means for the DPO model

The DPC’s 2025 report points to a familiar but increasingly important conclusion: a DPO model has to match the pressure it is expected to carry.

If the organisation is handling more complaints, more AI use, more complex vendor relationships, more cross-border processing, more DSAR pressure, more children’s data exposure or more regulator-facing work, a light-touch privacy model may no longer be proportionate.

That does not always mean replacing the model. Sometimes it means adding specialist support, clearer escalation, stronger board reporting, better evidence routines, or a more structured outsourced DPO arrangement. Sometimes it means reviewing whether the existing DPO has enough independence, authority, access, time and expert support to perform the role properly.

The key point is that DPO effectiveness is practical. It shows up in whether advice is sought early, whether recommendations are recorded, whether risks are escalated, whether business owners act, whether senior leaders receive useful visibility, and whether the organisation can explain the decisions it made.

Annual reports are useful because they give leadership a current external mirror. The DPC’s 2025 report is saying, in effect, that privacy work is becoming more complex, more contested and more evidence-heavy. Organisations should not wait for a complaint, breach or inquiry before asking whether their model can cope.

If that review shows gaps in DPO capacity, independence, conflict management, AI evidence, breach records or board visibility, the next step is not another policy rewrite. It is a practical review of the operating model: who owns the risk, who accepts unresolved recommendations, what evidence exists, and whether the DPO has direct access to senior decision-makers when the position needs to be escalated.

A practical action list for privacy teams

This does not need to become a sprawling remediation programme. A sensible first pass is to choose a small number of evidence checks and make them real.

Start with complaints and DSARs. Review a sample of recent cases and ask whether the file would make sense to someone outside the organisation. Can they see what was requested, what was searched, what was withheld, why, who reviewed it and when?

Then look at breach records. Pick recent incidents and test whether the record separates facts from assumptions, shows the notification assessment, records containment, and tracks corrective actions through to closure.

Next, review AI use cases. Identify the systems or tools that are actually being used, not just those that have been formally approved. Check whether privacy, security, procurement and business ownership are joined up around a governed use case.

Finally, bring the pattern to senior leadership. The most useful board or executive update is not a list of regulatory headlines. It is a short explanation of what those signals mean for the organisation’s own risk, evidence and operating model.

Bringing it together

The DPC Annual Report 2025 is worth reading because it connects regulatory activity with practical governance pressure. Complaints rose sharply. AI increased complexity. Breach notifications still point to ordinary operational controls. DSARs continue to test evidence discipline. Children’s data remains a priority. Transfers and BCRs remain active, serious governance topics.

For DPOs and privacy teams, the report is a prompt to move beyond reactive compliance. For leadership, it is a prompt to ask whether privacy governance is properly resourced, properly evidenced and properly connected to the way the organisation actually works.

The organisations that will be better placed are not necessarily the ones with the most documents. They are the ones that can explain their decisions, show their evidence, identify their owners and adjust their model before pressure arrives.

This article is intended to support the learning covered in Hour 1 of our XpertAcademy CPD programme. The relevant CPD certificate is issued for completion of the full one-hour session on XpertAcademy, rather than for reading this article on its own. You can return to the course here: CPD Event A: Full-Day Regulatory Privacy Training.

Sources consulted