Does GDPR apply to my small Irish business?

Yes, if you process personal data. A contact form, an analytics tool, a newsletter list or an e-commerce checkout all involve personal data. There is no minimum size threshold for GDPR. The Data Protection Commission has confirmed it investigates Irish SMBs, not just the multinational tech companies headquartered in Dublin.

What Irish law supplements the GDPR?

The Data Protection Act 2018 is Ireland's national implementation law for the GDPR. It covers areas the GDPR left to member states, including processing by the Gardaí, journalism and research exemptions and the DPC's own enforcement powers. The ePrivacy Regulations 2011 (S.I. No. 336 of 2011) govern cookie consent and direct marketing specifically.

What is the DPC's enforcement approach for Irish SMBs?

The DPC can act on complaints from individuals or open own-volition investigations. For SMBs, the most common issues the DPC investigates are inadequate privacy notices, cookie consent failures and poor handling of data subject access requests (DSARs). The DPC publishes its decisions, including those against smaller Irish organisations.

Do I need a Data Protection Officer?

Most Irish SMBs do not have a legal obligation to appoint a DPO. The obligation applies to public authorities, organisations that carry out large-scale systematic monitoring and organisations that process special category data on a large scale. Outside those categories, a DPO is recommended but not required.

GDPR & Privacy

GDPR compliance checklist for Irish businesses (2026)

Steven | TrustYourWebsite · 4 May 2026 · Last updated: May 2026

Ireland's Data Protection Commission (DPC) has issued more GDPR fines by total value than any other EU supervisory authority. The headline cases involve Big Tech. Meta faced a €1.2 billion fine in May 2023 for unlawful data transfers to the US. TikTok received €345 million in September 2023 for failures in protecting children's data. WhatsApp was fined €225 million in September 2021 for transparency breaches.

Those numbers come from multinationals. But the DPC also investigates Irish organisations of all sizes. Its annual reports show hundreds of complaints against domestic controllers (solicitors, estate agents, healthcare providers, retailers) and own-volition investigations into cookie compliance that sweep websites across industry sectors.

This checklist is built around what the DPC actually looks for in Irish businesses specifically.

Check your website before working through this list

Our scanner tests cookie consent, privacy policy presence, company registration details and tracking scripts. It takes 60 seconds.

Scan my website →

Section 1: Company identification on your website (4 items)

☐ 1. CRO registration number displayed

Under Section 49 of the Companies Act 2014, Irish limited companies must display their CRO registration number on their website and in business correspondence. The format is a 6-digit number (e.g., 123456). It belongs in the footer of every page and in the terms and conditions.

Sole traders are not subject to the CRO requirement, but must display their trading name and a contact address.

☐ 2. Registered office address and company name

The exact registered name as it appears on the CRO register must be shown alongside the registered office address. A trading name alone, without the registered legal name, is not sufficient for a limited company.

☐ 3. VAT number (if registered)

If your business is VAT-registered, the VAT registration number should appear in business correspondence, invoices and terms. Many Irish SMBs display it in the footer alongside the CRO number.

☐ 4. E-commerce: compliant with S.I. 68/2003

The E-Commerce Regulations 2003 (S.I. No. 68 of 2003) require that online sellers display their email address, company registration details and a geographic address (not just a PO box) before any transaction. Check that these appear on your checkout and contact pages.

Cookie consent in Ireland is governed by the ePrivacy Regulations 2011 (S.I. No. 336 of 2011), which implement the EU ePrivacy Directive, alongside the GDPR for any subsequent data processing. The DPC has published guidance and has conducted own-volition cookie sweeps across Irish websites.

If your website sets cookies that are not strictly necessary for the site to function (analytics, advertising, social media embeds), a consent banner must appear before those cookies are activated.

☐ 6. Reject option as prominent as the Accept option

The DPC follows the EDPB guidance on dark patterns. A large "Accept all" button next to a small greyed-out "Manage preferences" link does not constitute a fair choice. Refuse and Accept must be presented with equivalent visual weight.

Open your site in a private browsing tab. Use browser developer tools (F12, Network tab) and observe what loads before you interact with the cookie banner. Requests to google-analytics.com, facebook.com/tr or similar advertising domains before you click Accept indicate a failure. This is the test the DPC replicates in cookie investigations.

If your banner has a detailed preferences panel, analytics and advertising categories cannot be ticked by default. The user must make an active selection.

A visitor who rejected cookies on their last visit should not see the banner again on every page load. Consent and refusal must both be remembered. The DPC expects consent records to be retained for at least as long as the data is processed.

There must be a way for a user to change their cookie preferences after their initial choice. A "Cookie settings" link in the footer of every page is the standard approach.

Section 3: Privacy notice (7 items)

The privacy notice obligation comes from GDPR Articles 13 and 14 and is supplemented by the Data Protection Act 2018 for Irish-specific processing contexts.

☐ 11. Privacy notice accessible from every page

A link to the privacy notice must appear in the footer of every page of the website. The DPC checks for this in all investigations: it is one of the first things the DPC's website-check tool tests.

☐ 12. Controller identity clearly stated

The privacy notice must identify the data controller. For an Irish limited company, this means the registered company name, CRO number and registered office address. Not the trading name alone.

☐ 13. Lawful basis for each processing activity

For each category of data you collect, the notice must state the legal basis: consent (Article 6(1)(a)), contract (Article 6(1)(b)), legal obligation (Article 6(1)(c)) or legitimate interests (Article 6(1)(f)). Stating "we process your data in accordance with GDPR" without identifying which basis applies to which activity is not compliant.

☐ 14. Retention periods specified

The notice must state how long you keep each category of personal data, or the criteria used to determine that period. For Irish businesses, note that company accounts and associated financial records must be retained for 6 years under the Companies Act 2014. Records subject to Revenue's requirements may need to be kept for 6 years from the end of the accounting period.

☐ 15. Third-party recipients and data processors named

Every third-party tool or service that processes your customers' data on your behalf must be disclosed. Google Analytics, Mailchimp, Stripe, Shopify, HubSpot, your hosting provider: all are data processors. Name them in the notice or maintain an accessible sub-processor list.

☐ 16. US and non-EEA data transfers addressed

If you use US-based tools (Google, Meta, Stripe, Salesforce, AWS), personal data is transferred outside the EEA. Following the EU-US Data Privacy Framework (July 2023), transfers to DPF-certified companies are lawful. Your privacy notice should mention the transfer mechanism and name the recipient countries.

☐ 17. Data subject rights procedure described

The notice must explain how individuals can exercise their rights: access (DSAR), rectification, erasure, restriction, portability and objection. Provide a contact email or form. Under GDPR Article 12, you have one calendar month to respond to a DSAR, with a possible two-month extension for complex requests.

Section 4: Forms and data collection (5 items)

☐ 18. Marketing opt-in is separate and unticked by default

Any opt-in to marketing communications must be a separate, unticked checkbox. Bundling it into acceptance of terms and conditions is not valid consent.

☐ 19. Purpose stated at the point of data collection

Each form should tell the user what their data will be used for. A brief statement above or below the submit button (for example: "We'll use your email to respond to your enquiry and will not add you to any mailing list") is sufficient for a contact form.

☐ 20. Unsubscribe link works in every marketing email

Every commercial email must contain a working unsubscribe link. Clicking it must result in removal from the list. Under the ePrivacy Regulations 2011, unsubscribing from direct marketing must be easy and free to the recipient.

In an e-commerce checkout, the box for "Send me offers and updates" must be unticked by default. Pre-ticked boxes have been specifically cited by the DPC as a dark pattern that invalidates consent.

You must be able to demonstrate, if asked by the DPC, that each subscriber on your mailing list gave valid consent, when they consented and what they consented to. Most email marketing platforms (Mailchimp, Campaign Monitor, Klaviyo) log this automatically. Verify that your records are complete.

Section 5: Data processors and security (6 items)

☐ 23. Data Processing Agreements in place with all processors

For every third-party service that processes personal data on your behalf, you need a Data Processing Agreement (DPA) under GDPR Article 28. Most major platforms include one in their terms or make it available in account settings.

☐ 24. Website runs on HTTPS with a valid TLS certificate

An expired or missing SSL certificate is a GDPR Article 32 security failure if you collect personal data. Check your certificate expiry date and set an automatic renewal alert.

☐ 25. CMS and plugins kept up to date

Outdated WordPress installations and unmaintained plugins are a primary source of data breaches for Irish SMBs. Personal data compromised through a known, unpatched vulnerability constitutes a security failure under Article 32.

☐ 26. 72-hour breach notification procedure in place

Under GDPR Article 33, a personal data breach that poses a risk to individuals must be reported to the DPC within 72 hours of becoming aware of it. Know who in your organisation is responsible for making that call and have the DPC's online breach reporting form bookmarked at forms.dataprotection.ie.

☐ 27. Record of processing activities maintained

Most Irish SMBs whose processing is not occasional are required to maintain a Record of Processing Activities (RoPA) under GDPR Article 30. A simple spreadsheet listing each processing activity, its purpose, legal basis, data categories, recipients and retention period meets the requirement.

☐ 28. Google Fonts loaded locally or replaced

Embedding Google Fonts directly from fonts.googleapis.com transmits the visitor's IP address to Google on every page load, without consent. The EDPB and multiple DPAs have confirmed this is a transfer of personal data. Self-host the font files to eliminate the risk.

Section 6: The DPC's enforcement priorities

The DPC publishes anonymised summaries of its decisions against Irish organisations. Recent patterns from the 2023-2025 period:

Cookie consent failures: the DPC has run multiple own-volition investigations targeting specific sectors (retail, healthcare, hospitality) and notified businesses of non-compliant banners. Decisions in these cases typically require corrective action within 30 days.

DSAR failures: ignoring or excessively delaying a data subject access request is one of the most common complaint subjects. The DPC expects a substantive response within one calendar month.

Inadequate privacy notices: privacy notices that do not identify the legal basis for each processing activity, or that fail to name third-party recipients, regularly feature in DPC decisions against smaller Irish organisations.

Breach notifications: failing to notify the DPC within 72 hours of a breach, or notifying with inadequate detail, compounds the original breach finding.

For the step-by-step audit process, including how to test your cookie banner technically, see our GDPR website audit checklist.

Sources

This is technical analysis, not legal advice. Consult a solicitor or data protection specialist for advice on your specific situation.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

Website Guides

GDPR Fines for Small Businesses: Real Cases and Amounts

Real GDPR fines for small businesses run from about 1,000 to 50,000 EUR. See published regulator decisions, what triggers enforcement and how to avoid it.