What does the DPC look for when it investigates an Irish business website?

The DPC examines whether cookie consent is genuine (does clicking Reject actually stop tracking scripts?), whether the privacy notice identifies the lawful basis for each processing activity, whether data subject access requests are handled within the one-month deadline and whether appropriate data processor agreements are in place with third-party tools.

How do I test whether my cookie banner actually works?

Open your site in a private browsing window. Before touching the banner, open developer tools (F12, Network tab). Note what loads. Then click Reject All and reload the page. If analytics or advertising requests still appear (requests to google-analytics.com, facebook.com, doubleclick.net), your banner is not blocking scripts before consent.

Can the DPC investigate my business without a complaint being filed?

Yes. The DPC has own-volition investigation powers under the Data Protection Act 2018. It uses these regularly, including targeted sweeps of specific sectors (healthcare, retail, hospitality) for cookie compliance. Receiving a DPC letter does not necessarily mean a complaint was filed against you.

What is a reasonable response time for a Data Subject Access Request in Ireland?

Under GDPR Article 12, you must respond within one calendar month of receiving the request. You can extend this by a further two months for complex or numerous requests, but you must inform the person of the extension within the first month. The DPC treats DSAR response failures as a significant compliance indicator.

GDPR & Privacy

GDPR website audit checklist for Irish businesses

Steven | TrustYourWebsite · 4 May 2026 · Last updated: May 2026

This GDPR website audit checklist is for Irish businesses that want to know whether their site would survive a DPC compliance review. It walks each area in the order a DPC investigator would examine it.

A GDPR audit of your website is not a one-time task. New plugins, embedded third-party tools and changing service providers each create new data flows. An Irish business that last checked its site in 2022 may find things have drifted significantly.

What makes an Irish website audit distinct from a generic GDPR review is the specific legal landscape: the Data Protection Act 2018 alongside the GDPR, the ePrivacy Regulations 2011 (S.I. No. 336 of 2011) for cookies, the Companies Act 2014 for company identification and the DPC as the supervisory authority with a track record of investigating Irish organisations across all sectors.

This walkthrough takes you through each area in the order a DPC investigator would typically examine it.

Before you start

You need:

A laptop with a modern browser (Chrome, Firefox or Edge)
Access to your website's CMS or admin panel
Access to your email marketing platform (Mailchimp, Campaign Monitor, etc.)
A note of which third-party tools your site uses (analytics, payments, live chat, etc.)

Our scanner handles steps 1 and 2 automatically if you want a baseline before the manual walkthrough.

Run a free automated scan →

This is the most common failure the DPC finds, and it is testable in under five minutes.

What to do:

Open your website in a new private/incognito browsing tab
Open developer tools before the page fully loads (F12 in Chrome or Firefox)
Go to the Network tab and clear any existing requests
Let the page load fully without touching the cookie banner
Look for requests to: google-analytics.com, analytics.google.com, facebook.com/tr, googletagmanager.com, doubleclick.net, hotjar.com, clarity.ms

If any of these appear before you have clicked Accept, your site is loading tracking scripts without consent. This is a direct violation of the ePrivacy Regulations 2011 and GDPR.

Then:

Click Reject All on the banner
Reload the page
Check the Network tab again

If the same tracking requests reappear after a rejection, your consent management platform (CMP) is not functioning correctly.

Common causes:

The most frequent root cause is Google Analytics or Google Tag Manager inserted directly into the website theme or page template, bypassing the CMP entirely. The CMP controls what it knows about. Trackers hardcoded into a WordPress theme are invisible to it.

The fix is to ensure all tracking scripts are loaded through Tag Manager, and that Tag Manager itself is configured in consent mode so it only fires tags after the user has given consent for the relevant category.

Technical function and visual design are separate tests. A banner that blocks scripts correctly can still fail on consent quality if the visual design manipulates choice.

Check for these specific patterns that the DPC has cited in its guidance:

Accept and Reject buttons are not equivalent in visual prominence (one is coloured, the other is greyed out or text-only)
The option to reject requires more clicks than the option to accept (e.g., Accept is one click but Reject requires opening a preferences panel first)
Analytics and advertising categories are pre-selected in the detailed preferences panel
The banner reappears on every page load regardless of previous choice
There is no mechanism to change preferences after the initial choice

The DPC's published guidance on dark patterns follows the EDPB's Guidelines 03/2022 on Dark Patterns on Social Media Platforms, which Irish supervisory practice has applied to cookie consent across all sectors.

Step 3: Privacy notice audit

Read your privacy notice critically, as if you had no knowledge of your own business. Ask:

Does it identify who the controller is? It should give the registered company name, CRO number and registered office address, not just a trading name or website name.

Does it identify the lawful basis for each processing activity? For an Irish SME, typical processing activities include:

Processing activity	Typical lawful basis
Responding to contact form enquiries	Legitimate interests or contract
Sending a newsletter	Consent
Processing a purchase	Contract
Running Google Analytics	Consent
Retaining accounting records	Legal obligation (Companies Act / Revenue)
Processing job applications	Legitimate interests / pre-contract

Stating "we process your data lawfully" without identifying which basis applies to which activity is not compliant. A DPC investigation into a privacy notice will press on this specific point.

Does it name your data processors? Google Analytics, Stripe, Mailchimp, Shopify and your hosting provider are all processors. They must be named or a current sub-processor list must be linked.

Does it explain data transfers outside the EEA? If you use US-based services, mention the Data Privacy Framework (for DPF-certified providers) or the Standard Contractual Clauses (for those not certified). Note the recipient countries.

Does it state retention periods? Irish businesses have specific retention anchors. The Companies Act 2014 requires 6-year retention for company records. Revenue requires 6 years for tax records. Your privacy notice should reflect these for any personal data embedded in those records.

Step 4: Data subject access request (DSAR) readiness

The DPC's own statistics show DSAR failures as the most common complaint type against Irish organisations. The Irish High Court decision in Nowak v Data Protection Commissioner [2016] IEHC 110 was referred to the CJEU, which ruled in Case C-434/16 Nowak (20 December 2017) that examination scripts held by a professional body constitute personal data. A reminder that what counts as personal data in Ireland is interpreted broadly.

A DSAR readiness check involves:

Designating who handles DSARs (and who covers if that person is unavailable)
Knowing where personal data is stored: CRM, email platform, accounting software, website database, paper files
Having a response template that covers: confirmation that data is held, a copy of the data, the purposes, the recipients, the retention period and rights information
A calendar system to track the one-month response deadline from receipt
A process for the two-month extension if needed (must notify the person within the first month)

A practical test: send a DSAR to yourself using your business email address. Can you compile a complete response? How long does it take?

Step 5: Data processor agreement inventory

Pull together a list of every tool your website uses that touches personal data. For each one, establish whether a Data Processing Agreement (DPA) is in place.

Common tools and where to find the DPA:

Google Analytics / Google Workspace: Google's Data Processing Addendum, available through Google's account settings. Must be accepted before it takes effect.
Mailchimp: the DPA is incorporated into Mailchimp's Standard Terms of Use since 2020. Verify it is in force for your account.
Stripe: Stripe's Data Processing Agreement is part of its Services Agreement for European customers. No separate activation is required.
WordPress hosting providers: request a DPA from your hosting provider. Most reputable Irish and European hosts provide one on request.

Keep a record of each DPA: which tool, date accepted or signed, where the current version is held. If the DPC asks for evidence of your processor agreements, you need to be able to produce it promptly.

This step specifically addresses the resources that load on every page of your site, regardless of cookie consent.

Google Fonts via googleapis.com: loading fonts from fonts.googleapis.com sends the visitor's IP address to Google on every page visit, without consent. The Bavarian Data Protection Authority (BayLDA) issued formal warnings for this in 2022. The EDPB's guidance is consistent with this position. Self-host your fonts.

Google Maps embedded via iframe: a standard Google Maps iframe loads Google's cookies immediately. Replace it with a static image of the map with a "Open in Google Maps" link, or use a click-to-load wrapper that only loads the live map after the user consents to map-related cookies.

YouTube embedded video: a standard YouTube embed loads advertising and preference cookies. Use the youtube-nocookie.com embed variant, which limits cookie placement, or wrap the video in a consent-triggered loader.

Font Awesome from a CDN: if loaded from fontawesome.com servers rather than self-hosted, this is a third-party resource with a privacy policy of its own. Self-hosting the icon set eliminates the exposure.

Step 7: Security basics

GDPR Article 32 requires appropriate technical and organisational security measures. For an Irish SMB website, the baseline includes:

HTTPS throughout the site with a valid, auto-renewing TLS certificate
CMS (WordPress, Shopify, etc.) kept on the current major version
Plugins updated at least monthly, with unused plugins deactivated and deleted
Admin accounts using strong unique passwords (a password manager, not variations of the same password)
Two-factor authentication on the hosting control panel and CMS admin
Automated daily backups stored in a separate location

A personal data breach caused by a known unpatched vulnerability (for example, a WordPress plugin with a published CVE that was not updated) is treated by the DPC as a security failure under Article 32, separate from any notification obligation under Article 33.

After the audit: what to do with the findings

Triage what you found into three buckets:

Fix this week (critical): tracking scripts loading before consent, missing privacy notice, no cookie banner, CRO number absent from the website.

Fix this month (important): privacy notice does not identify lawful basis, no DPA with Google Analytics, missing unsubscribe link in marketing emails, Google Fonts loading from external CDN.

Fix when possible (improvement): retention periods not specified in the privacy notice, sub-processor list not current, no formal DSAR procedure document.

Document what you found and when you fixed it. If the DPC ever contacts you, a dated audit record showing you identified and remediated issues is a meaningful indicator of good faith.

For a structured checklist version of the obligations covered in this audit, see our GDPR compliance checklist for Irish businesses and the DPC cookie guidance for Irish websites.

Sources

This is technical analysis, not legal advice. Consult a solicitor or data protection specialist for advice specific to your situation.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

Website Guides

GDPR compliance checklist for Irish businesses (2026)

GDPR compliance checklist for Irish businesses. DPC enforcement, DPA 2018, ePrivacy Regs 2011, CRO disclosure, cookie consent and processor agreements.

Website Security Checklist: 10 Things to Check Today

A practical security checklist for small business websites. 10 things you can check and fix today without technical expertise.