Skip to main content

GDPR & Privacy

Data protection compliance and privacy management for Irish organisations.

The General Data Protection Regulation sets the rules for how organisations handle personal data. As an Irish business, you are operating in the home jurisdiction of the Data Protection Commission, the lead supervisory authority for many of the world’s largest technology companies.

What GDPR compliance actually means

GDPR is not just about cookie banners and privacy policies. It requires you to:

  • Know what personal data you hold and why you are processing it.
  • Have a lawful basis for each processing activity.
  • Protect that data with appropriate security measures.
  • Respect individuals’ rights over their data.
  • Be accountable and able to demonstrate compliance.

The regulation applies to any organisation processing personal data of EU residents, regardless of where you are based.

Who needs to focus on GDPR

Every organisation that handles personal data needs some level of GDPR compliance. Dedicated support is particularly valuable for:

  • Organisations processing sensitive data (health, financial, children’s data).
  • Companies expanding into EU markets.
  • Businesses undergoing due diligence from investors or acquirers.
  • Organisations that have received complaints or enquiries from the DPC.
  • Any business wanting to build trust with customers about data handling.

How we can help

Compliance assessment

We review your current data processing activities against GDPR requirements and identify areas that need attention. You will receive a practical report with prioritised recommendations.

Privacy programme development

For organisations building their privacy function from scratch, we can help establish data processing registers (Article 30 records), privacy notices and consent mechanisms, data subject rights procedures, breach response processes, and vendor management frameworks.

Data Protection Impact Assessments

When you are planning new processing activities that might present high risks to individuals, we can conduct or support DPIAs as required under Article 35.

DPO support

If you need a Data Protection Officer but do not have the scale for a full time appointment, we can provide DPO as a service or support your existing DPO with specialist expertise.

Incident response

If you are dealing with a potential data breach, we can help you assess the situation, determine notification obligations, and manage the response process.

What to expect

Initial compliance assessments typically take 2 to 4 weeks depending on your organisation’s complexity. Privacy programme development is an ongoing engagement that we will scope based on your specific needs.

Common questions

Do we need a Data Protection Officer?
Article 37 specifies when a DPO is mandatory, primarily for public authorities and organisations whose core activities involve large scale monitoring or processing of sensitive data. Even if not strictly mandatory, having someone accountable for privacy is good practice and often expected by enterprise customers.
How much can GDPR fines be?
Administrative fines can reach €20 million or 4% of global annual turnover, whichever is higher. In practice the Irish DPC has issued multi million euro fines to major technology companies. More commonly, smaller organisations face reprimands, orders to comply, and the reputational damage of a public enforcement action.
How long does GDPR compliance take to achieve?
An initial compliance assessment typically takes 2 to 4 weeks. Remediation depends on your starting point and complexity. Many organisations reach a defensible compliance position within 3 to 6 months, with ongoing refinement after. GDPR is not a one time project. It requires ongoing operational attention.
How does GDPR relate to ISO 27001?
ISO 27001 addresses information security broadly, while GDPR specifically concerns personal data protection. They complement each other well. ISO 27001's security controls support GDPR's Article 32 security requirements, and many organisations pursue both frameworks together to avoid duplication of effort.
What about international data transfers after Schrems II?
Transferring personal data outside the EU requires careful consideration. You will typically need Standard Contractual Clauses plus a Transfer Impact Assessment, and in some cases supplementary technical measures like encryption or pseudonymisation. We can help you assess your transfer mechanisms and implement appropriate safeguards.
We only process data for B2B customers, does GDPR still apply?
Yes. GDPR applies to any processing of personal data about individuals, including B2B contact details. A buyer's name, email, and work phone are still personal data. The lawful basis and level of obligation may differ, but the regulation still applies.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk