The Data Protection Commission (DPC) received less than a third of the additional funding it sought in Budget 2020, a situation that leaves it having to reassess its planned expenditure for next year.

The decision to turn down the commission’s budget request comes just months after the DPC ruled it was unlawful for the State to keep data on more than three million people who have a public services card.

In a statement on Wednesday, commissioner Helen Dixon expressed disappointment at the decision not to allocate all of the funding the organisation requested.

“The DPC is disappointed that the additional funding allocated is less than one-third of the funding that the DPC requested in its budget submission. The submission reflected a year of experience of regulating under the General Data Protection Regulation (GDPR) and highlighted the increased volumes and complexities involved,” she said.

“The DPC must now reassess its planned expenditure for 2020, particularly in relation to foreseen non-pay expenditure for which the DPC has received a zero increase in allocation,” she added.

The commission received an additional €1.6 million in the budget, bringing its total funding allocation to €16.9 million. This represents an 11 per cent increase on its allocation for this year.

However, in its recent pre-budget submission it sought a total of €5.9 million to bring its annual budget to €21.1 million to help it deal with the considerable extra work it faced due to the introduction of GDPR. This comprehensive European Union data-protection legislation came into force last year and governs the privacy practices of any company handling EU citizens’ data.

GDPR workload

Since the application of GDPR in May 2018, the DPC has seen a significant increase in workload. Since January, more than 7,000 complaints and almost 5,000 breach notifications have been received by the commission and it has been contacted by businesses and consumers seeking guidance on more than 40,000 occasions during that time.

Given that many multinational tech companies have their European headquarters in the State, the commission effectively acts as the EU’s lead supervisory authority in terms of regulating them.

Increases in funding for the office in recent years have been made to allow the organisation to recruit additional staff with various specialist backgrounds to meet the extra demands placed on the organisation.

“The optics of a regulator who will be getting busier post-Brexit, who is already recognised as being under-resourced, getting significantly less than asked for in a budget after taking action against a flagship project of the department for budgets aren’t good internationally,” tweeted data-protection consultant Daragh O’Brien of Irish company Castlebridge Associates.

The Department of Public Expenditure and Reform was contacted for comment but had not responded at time of publication.