IrelandA data breach exposed my information. What should happen?
If a data breach exposes your personal information in Ireland, the controller must notify the Data Protection Commission (DPC) within 72 hours and inform you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
What the Law Says
The Data Protection Act 2018 sets out clear obligations for organisations (controllers) when a personal data breach occurs. These rules implement the GDPR in Irish law and give you enforceable rights.
A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If a breach occurs, the controller must report it to the Data Protection Commission (DPC) within 72 hours of becoming aware of it — unless the breach is unlikely to result in a risk to people’s rights and freedoms.
You, as the affected individual, must be informed directly and without undue delay if the breach is likely to result in a 'high risk' to your rights and freedoms — for example, identity theft, financial loss, damage to reputation, or discrimination.
The notification to you must describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
Statutory TextWhere a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
— Data Protection Act 2018, s. 86 — Notification of a personal data breach to the data subject
What to Do
Check if you received a direct notification from the organisation — it should explain what data was exposed and what they’re doing about it.
Contact the Data Protection Commission (www.dataprotection.ie) if you believe the organisation failed to notify you or the DPC properly.
Monitor your bank accounts, credit reports, and online accounts for suspicious activity — especially if financial or identification data was involved.
Consider placing a fraud alert with credit reference agencies (e.g., illion Ireland) if your name, address, PPS number, or date of birth were compromised.
Sources
Same Question, Other Jurisdictions
Canada
Australia
Singapore
European Union
India
South Korea
UK
US-California
US-New York
JapanNot legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.