Data protection for the Irish business — practical compliance

Further reading from this practice: Blockchain and Irish Law. For Hugh's background and qualifications, see Hugh Phelan.

The General Data Protection Regulation is now eight years in force. The Data Protection Commission is the most active data-protection regulator in the European Union by volume of cross-border investigation and by quantum of fine imposed. An Irish business operating in 2026 cannot treat GDPR as a one-off compliance project; it is an operational discipline that requires continuing attention.

This is a working note on where the obligations actually bite for an Irish operating business. It is written for the in-house counsel, finance leader or business owner who needs to know what the Commission expects and what the working compliance posture looks like in practice.

The legal architecture

GDPR has direct effect in Ireland and is supplemented by the Data Protection Act 2018, which transposes the limited derogations the Regulation permits, establishes the Data Protection Commission's powers and procedures, and provides for certain Irish-specific rules on processing children's data, special categories of personal data, and processing for journalism, academic, artistic and literary purposes.

The principal obligations on a controller — the Regulation's term for the entity that determines the purposes and means of processing — are to identify a lawful basis for each processing operation, to provide transparent information to data subjects, to honour data subjects' rights, to implement appropriate technical and organisational measures, to record processing activities, to notify breaches, and to enter written contracts with processors. Each of these is a discrete obligation and each is enforceable.

The Data Protection Commission's enforcement posture

The Commission's published enforcement decisions over the past five years give a clear picture of where the regulator is focused. The major fines have concentrated on large platforms — Meta, Google, TikTok, LinkedIn — with cross-border processing of EU residents' data. For smaller Irish businesses, the Commission's enforcement has focused on a different set of issues: unlawful direct marketing, breaches of data-subject rights, inadequate transparency, insecure processing leading to a notifiable breach, and failure to maintain records of processing activities.

The working compliance posture for an Irish small or medium business is therefore not to focus on the headline-grabbing fines but on the operational issues that the Commission's smaller-business enforcement consistently addresses. These are the issues that affect every operating business and that the Commission will examine on any complaint or audit.

Lawful basis and the consent question

Every processing operation must rest on one of the six lawful bases in Article 6: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The choice of lawful basis is a matter of substance, not form. A business that mis-identifies its lawful basis — claiming consent where the processing is actually under contract, or claiming legitimate interests where consent is required — is exposed regardless of whether the processing itself is otherwise lawful.

The most common mis-identification I see in Irish businesses is over-reliance on consent. Consent under GDPR is a high standard — freely given, specific, informed, unambiguous, and capable of withdrawal as easily as it was given. Most ordinary business processing does not meet this standard, because consent is not freely given in the context of a service the customer needs, or because the consent mechanism does not provide easy withdrawal. The correct lawful basis for most business processing is contract or legitimate interests, with consent reserved for marketing, optional features and sensitive data processing.

The discipline is to identify, for each processing operation, the lawful basis and to document the analysis. The documentation lives in the record of processing activities, which is a statutory obligation for any controller with more than 250 employees and which the Commission expects to see from smaller businesses as well.

Data subject rights — the response discipline

Articles 15 to 22 confer rights on data subjects: access, rectification, erasure, restriction, portability, objection, and rights in relation to automated decision-making. The most exercised right in Irish practice is the right of access, with the right to erasure a distant second.

The response timetable is one month from receipt of the request, extendable to three months for complex requests with notice to the data subject. The response must be in writing, must address each item the data subject has asked for, and must be in a format the data subject can use. Refusal is permitted only in limited circumstances — manifestly unfounded or excessive requests, or where the request infringes the rights and freedoms of others — and refusal must be reasoned and notified to the data subject within the response window.

The practical compliance step is to have a data-subject-request procedure in writing, with a named owner, a logged inbox, a template response, and a calendar reminder for the one-month deadline. Most failures I see in Irish businesses are not failures of substance — the underlying answer to the request is usually correct — but failures of timing or completeness. The Commission's enforcement here is unforgiving.

The breach-notification obligation

Article 33 requires a controller to notify the Data Protection Commission of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 34 requires notification to affected data subjects where the breach is likely to result in a high risk.

The 72-hour window is short and the Commission has indicated repeatedly that it begins from the time the controller becomes aware of the breach, not from the time the breach is fully investigated. The practical implication is that an Irish business must have a breach-response procedure that can identify, classify and report a breach within three days, with the option of providing supplementary information in subsequent communications.

The most common failure I see is not failure to notify, but failure to maintain the contemporaneous record. A breach that is notified within the window but is not supported by an internal record of when it was discovered, how it was investigated, who made the notification decision and what mitigation was implemented is exposed if the Commission later audits.

International transfers and the post-Schrems landscape

Transfers of personal data outside the European Economic Area require a transfer mechanism: an adequacy decision, standard contractual clauses with a transfer impact assessment, binding corporate rules, or a derogation. The Schrems II decision of the Court of Justice of the European Union in 2020 invalidated the Privacy Shield framework for transfers to the United States, and the replacement EU-US Data Privacy Framework adequacy decision of July 2023 is itself the subject of pending litigation.

For an Irish business with US-bound data flows, the working position is to rely on the Data Privacy Framework where the US recipient is certified, with standard contractual clauses and a transfer impact assessment as a fallback. Both should be documented. Reliance on the Framework alone is exposed to the risk of further litigation; reliance on SCCs alone is more conservative but more administratively burdensome.

For UK-bound transfers, the European Commission's adequacy decision in respect of the UK remains in force and supports transfer without additional safeguards. The broader UK position is discussed in Brexit and your commercial contracts five years on.

Records of processing activities

Article 30 requires controllers to maintain records of their processing activities. The records are not filed with the Commission but must be available on request. The records should set out, for each processing operation, the categories of data subjects, the categories of personal data, the purposes of the processing, the recipients, any transfers outside the EEA, the retention periods, and a general description of the technical and organisational security measures.

The records are the single document the Commission asks for first in any audit or investigation. A business that cannot produce its records on request is in immediate difficulty. The records do not need to be elaborate; they need to be complete, accurate and current. A spreadsheet that lists each processing operation and the relevant attributes is sufficient, provided it is maintained.

The Data Protection Officer question

Article 37 requires the appointment of a Data Protection Officer where the controller's core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or where the core activities consist of processing special categories of data on a large scale. For most Irish small and medium businesses, the DPO obligation does not arise.

Where it does arise, the DPO must be sufficiently independent, must report to the highest level of management, must not be dismissed for performing their functions, and must have specialist knowledge of data protection law and practice. The DPO can be an employee, a member of staff with other duties (provided there is no conflict), or an external service provider. The choice depends on the size and complexity of the processing.

The working compliance cadence

A working data-protection compliance cadence for an Irish business looks like this. Annual review of the records of processing activities. Annual review of the privacy notices on the website and in customer-facing documentation. Quarterly review of the breach-response procedure with a tabletop exercise once a year. Annual training for staff with significant exposure to personal data. Ad hoc review of new processing operations as they are introduced. The discipline is periodic and modest; the failure mode is to treat compliance as a one-off project.

For a related working note on directors' duties — which now include an explicit obligation in regulated firms to maintain adequate compliance arrangements — see directors' duties in Ireland — 2026 update. To book a notarial appointment with Hugh Phelan, call (021) 489-7134 or visit phelansolicitors.com.