Skip to main content

GDPR & Privacy

Data protection compliance and privacy management for Irish organisations.

The General Data Protection Regulation sets the rules for how organisations handle personal data. As an Irish business, you’re operating in the home jurisdiction of the Data Protection Commission—the lead supervisory authority for many of the world’s largest technology companies.

What GDPR compliance actually means

GDPR isn’t just about cookie banners and privacy policies. It requires you to:

  • Know what personal data you hold and why you’re processing it
  • Have a lawful basis for each processing activity
  • Protect that data with appropriate security measures
  • Respect individuals’ rights over their data
  • Be accountable and able to demonstrate compliance

The regulation applies to any organisation processing personal data of EU residents, regardless of where you’re based.

Who needs to focus on GDPR

Every organisation that handles personal data needs some level of GDPR compliance. However, dedicated support is particularly valuable for:

  • Organisations processing sensitive data (health, financial, children’s data)
  • Companies expanding into EU markets
  • Businesses undergoing due diligence from investors or acquirers
  • Organisations that have received complaints or enquiries from the DPC
  • Any business wanting to build trust with customers about data handling

How we can help

Compliance assessment

We’ll review your current data processing activities against GDPR requirements and identify areas that need attention. You’ll receive a practical report with prioritised recommendations.

Privacy programme development

For organisations building their privacy function from scratch, we can help establish:

  • Data processing registers (Article 30 records)
  • Privacy notices and consent mechanisms
  • Data subject rights procedures
  • Breach response processes
  • Vendor management frameworks

Data Protection Impact Assessments

When you’re planning new processing activities that might present high risks to individuals, we can conduct or support DPIAs as required under Article 35.

DPO support

If you need a Data Protection Officer but don’t have the scale for a full-time appointment, we can provide DPO-as-a-service or support your existing DPO with specialist expertise.

Incident response

If you’re dealing with a potential data breach, we can help you assess the situation, determine notification obligations, and manage the response process.

What to expect

Initial compliance assessments typically take 2-4 weeks depending on your organisation’s complexity. Privacy programme development is an ongoing engagement that we’ll scope based on your specific needs.

Common questions

Do we need a Data Protection Officer?
Article 37 specifies when a DPO is mandatory—primarily for public authorities and organisations whose core activities involve large-scale monitoring or processing of sensitive data. Even if not strictly mandatory, having someone accountable for privacy is good practice and often expected by enterprise customers.
How much can GDPR fines be?
Administrative fines can reach €20 million or 4% of global annual turnover, whichever is higher. In practice, the Irish DPC has issued multi-million-euro fines to major technology companies. More commonly, smaller organisations face reprimands, orders to comply, and the reputational damage of a public enforcement action.
How long does GDPR compliance take to achieve?
An initial compliance assessment typically takes 2-4 weeks. Remediation depends on your starting point and complexity—many organisations reach a defensible compliance position within 3-6 months, with ongoing refinement thereafter. GDPR is not a one-time project; it requires ongoing operational attention.
How does GDPR relate to ISO 27001?
ISO 27001 addresses information security broadly, while GDPR specifically concerns personal data protection. They complement each other well—ISO 27001's security controls support GDPR's Article 32 security requirements, and many organisations pursue both frameworks together to avoid duplication of effort.
What about international data transfers after Schrems II?
Transferring personal data outside the EU requires careful consideration. You'll typically need Standard Contractual Clauses plus a Transfer Impact Assessment, and in some cases supplementary technical measures like encryption or pseudonymisation. We can help you assess your transfer mechanisms and implement appropriate safeguards.
We only process data for B2B customers—does GDPR still apply?
Yes. GDPR applies to any processing of personal data about individuals, including B2B contact details (a buyer's name, email, and work phone are still personal data). The lawful basis and level of obligation may differ, but the regulation still applies.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk