Summary
- A Compliance Institute survey found that 51% of Irish compliance professionals believe some data breaches go unreported.
- Fear of personal blame, brand damage, and regulatory scrutiny were cited as reasons breaches may not be escalated.
- The findings show that data protection risk depends on reporting culture, decision routes, and escalation discipline, not only policies and tools.
The Compliance Institute has found that more than half of Irish compliance professionals believe data protection breaches continue to go unreported inside organisations, exposing a gap between written controls and everyday escalation behaviour.
The survey of 150 compliance professionals, mostly working in Irish financial services organisations, found that 51% believe some breaches go unreported. Of those respondents, 19% said many breaches may go unreported, while 32% said a few may go unreported. The figure has fallen from 65% in an autumn 2023 survey, but it still points to a persistent weakness in breach escalation.
The reasons given show how reporting can fail before senior leaders or regulators are even involved. Fear of personal accountability was cited by 26% of respondents as the main reason breaches might not be reported. Brand damage was cited by 22%, while 19% pointed to regulatory scrutiny or penalties. A further 33% said organisations would not, in the main, knowingly fail to report a breach.
That distinction is important. The problem is not always deliberate concealment by an organisation. It can be hesitation by an employee, uncertainty from a manager, unclear thresholds for escalation, or delay while teams try to understand whether an incident is serious enough to report. In data protection, those delays can have legal, operational, and reputational consequences.
Under GDPR, personal data breaches must be assessed quickly, recorded, and reported to the relevant supervisory authority where the risk threshold is met. The 72-hour reporting window places pressure on organisations to make early decisions from incomplete information. A mature compliance culture therefore depends on incident rehearsals, clear ownership, trusted escalation routes, and close coordination between privacy, legal, security, risk, and business teams.
Ireland’s position gives the findings added weight. The country hosts major technology operations, international financial services activity, and organisations that process data across borders. Domestic firms also face rising expectations around operational resilience, outsourcing oversight, cyber governance, and data protection evidence. A breach that is not escalated promptly can affect customers, regulators, counterparties, insurers, and service partners.
The survey also connects data protection with cyber resilience. Breach reporting is often treated as a privacy compliance exercise, but the root cause may be phishing, a misconfigured cloud service, supplier failure, insider error, lost devices, or ransomware. Organisations that separate privacy, cyber, and operational risk too rigidly can misread the nature of an incident and lose valuable time.
AI adoption adds another layer of pressure. Businesses are putting sensitive data into new workflows, experimenting with generative tools, and automating decisions that may affect customers or employees. Without strong reporting culture, small incidents in AI-enabled processes can become normalised before controls are adjusted. The risk is not only a headline breach. It is the quiet accumulation of incidents that prevents organisations from learning where controls are weak.
Boards and executive teams often receive dashboards showing training completion, policy coverage, audit results, and incident counts. Those figures are useful only if staff feel able to raise concerns quickly. A low number of reported incidents may reflect strong controls, but it may also show that people are afraid of blame, unsure of the process, or unconvinced that escalation will be handled fairly.
Data protection compliance is usually measured through documents, records, and control frameworks. The harder test is whether bad news travels fast enough to reduce harm. Ireland’s compliance professionals are signalling that many organisations still need to make breach reporting safer, clearer, and more operationally reliable.










