GDPR & Privacy

The General Data Protection Regulation sets the rules for how organisations handle personal data. As an Irish business, you’re operating in the home jurisdiction of the Data Protection Commission—the lead supervisory authority for many of the world’s largest technology companies.

What GDPR compliance actually means

GDPR isn’t just about cookie banners and privacy policies. It requires you to:

• Know what personal data you hold and why you’re processing it
• Have a lawful basis for each processing activity
• Protect that data with appropriate security measures
• Respect individuals’ rights over their data
• Be accountable and able to demonstrate compliance

The regulation applies to any organisation processing personal data of EU residents, regardless of where you’re based.

Who needs to focus on GDPR

Every organisation that handles personal data needs some level of GDPR compliance. However, dedicated support is particularly valuable for:

• Organisations processing sensitive data (health, financial, children’s data)
• Companies expanding into EU markets
• Businesses undergoing due diligence from investors or acquirers
• Organisations that have received complaints or enquiries from the DPC
• Any business wanting to build trust with customers about data handling

How I can help

Compliance assessment

I’ll review your current data processing activities against GDPR requirements and identify areas that need attention. You’ll receive a practical report with prioritised recommendations.

Privacy programme development

For organisations building their privacy function from scratch, I can help establish:

• Data processing registers (Article 30 records)
• Privacy notices and consent mechanisms
• Data subject rights procedures
• Breach response processes
• Vendor management frameworks

Data Protection Impact Assessments

When you’re planning new processing activities that might present high risks to individuals, I can conduct or support DPIAs as required under Article 35.

DPO support

If you need a Data Protection Officer but don’t have the scale for a full-time appointment, I can provide DPO-as-a-service or support your existing DPO with specialist expertise.

Incident response

If you’re dealing with a potential data breach, I can help you assess the situation, determine notification obligations, and manage the response process.

What to expect

Initial compliance assessments typically take 2-4 weeks depending on your organisation’s complexity. Privacy programme development is an ongoing engagement that I’ll scope based on your specific needs.

Common questions

Do we need a Data Protection Officer? Article 37 specifies when a DPO is mandatory—primarily for public authorities and organisations whose core activities involve large-scale monitoring or processing of sensitive data. Even if not mandatory, having someone accountable for privacy is good practice.

What happens if we’re not compliant? The DPC has powers to issue warnings, reprimands, orders to comply, and fines up to €20 million or 4% of global turnover. More practically, non-compliance creates business risk through customer complaints, contract issues, and reputational damage.

How does GDPR relate to ISO 27001? ISO 27001 addresses information security broadly, while GDPR specifically concerns personal data protection. They complement each other well—ISO 27001’s security controls support GDPR’s security requirements (Article 32).

What about international data transfers? Post-Schrems II, transferring personal data outside the EU requires careful consideration. I can help you assess your transfer mechanisms and implement appropriate safeguards.