GDPR compliance for Irish businesses: website checklist 2026

Ireland's Data Protection Commission (DPC) has imposed more GDPR fines than any other EU supervisory authority — over €4 billion since 2018. TikTok (€530M, 2025), Meta (€1.2B, 2023), LinkedIn (€310M, 2024). Every headline makes Irish business owners ask the same question: are we next?

The honest answer: headline fines target Big Tech. But the DPC also investigates domestic Irish controllers — SMBs, public bodies, professional services firms. Enforcement against Irish businesses typically takes the form of warnings, reprimands, and smaller fines, but the compliance requirements are identical.

This checklist covers what Irish websites must do in 2026.

---

1. Cookie consent banner

Required: Yes, for any non-essential cookies.

Under SI 336 of 2011 (Irish ePrivacy Regulations), you must obtain prior consent before setting cookies that are not strictly necessary for the service requested.

Your cookie banner must:

• Offer an equally prominent "Reject All" option alongside "Accept All"
• Not set tracking scripts before the visitor makes a choice
• Not use pre-ticked boxes for optional cookies
• Remember the visitor's choice for future visits

What the DPC flags as dark patterns: An "Accept All" button in large green text alongside a small grey "Manage Preferences" link. The DPC has stated that asymmetrical button styling undermines free and informed consent.

Key distinction: The DPC cannot issue direct administrative fines for ePrivacy/cookie breaches under SI 336. However, it can prosecute through the courts, and where cookies involve personal data processing (which analytics cookies almost always do), it applies GDPR enforcement powers.

Action: Click "Reject All" on your own website, then open browser DevTools → Network, and filter for "google-analytics". If requests appear, your banner is not working correctly.

---

2. Privacy policy

Required: Yes, under GDPR Article 13 and the Data Protection Act 2018.

Your privacy policy must cover:

• What personal data you collect (names, emails, IP addresses)
• Your lawful basis for processing each category
• How long you retain data
• Which third parties have access (Google Analytics, payment processors, email tools)
• How visitors can exercise their rights (access, deletion, objection, portability)
• How to lodge a complaint with the DPC

A DPC complaint about missing or inadequate privacy policies is one of the most common issues the DPC handles from members of the public.

DPC contact for complaints: www.dataprotection.ie

Action: Check your privacy policy exists, is linked from every page footer, and accurately describes your specific data processing — not a generic template.

---

3. Company registration details (Companies Act 2014)

Required: Yes, under Section 49 of the Companies Act 2014 and SI 68/2003.

Every Irish limited company must display on its website:

• Full company name as registered with the CRO
• Company registration number (CRO number)
• Registered office address
• At least one director's name
• Company type (e.g. "Limited", "Designated Activity Company")

Under the E-Commerce Regulations 2003 (SI 68/2003), you must also display:

• Geographic address where the business is established (not a PO Box)
• Direct contact email address
• VAT number if VAT-registered
• Any professional regulatory body membership if applicable

Sole traders using a business name should display their own name, address, and contact details.

Where to put it: Footer of every page, plus your contact page.

Action: Check your website footer. Does it show your CRO number, registered address, and company type?

---

4. Data subject rights

Required: Yes, under GDPR Articles 15–22.

Any person whose data you hold can submit a Data Subject Access Request (DSAR). You must respond within one month. The DPC has taken enforcement action against Irish organisations for DSAR failures — including a €110,000 fine against a public body for repeated failures to respond on time.

Your privacy policy must explain how to submit a request. For small businesses, a dedicated email address (e.g. privacy@yourcompany.ie) is sufficient.

Action: Test your DSAR process. If someone emailed asking for all data you hold about them, could you respond within 30 days?

---

5. Data breach notification

Required: Yes, under GDPR Article 33.

If you suffer a data breach — a cyberattack, lost laptop, accidental email to the wrong person — that risks the rights and freedoms of individuals, you must notify the DPC within 72 hours of becoming aware. High-risk breaches must also be communicated directly to the affected individuals.

The DPC publishes breach statistics annually. In 2023, it received over 8,000 breach notifications.

Action: Do you have a documented procedure for identifying and reporting a breach within 72 hours?

---

6. Google Analytics and third-party tools

Risk: High in Ireland.

Ireland is the DPC's jurisdiction for most major US tech companies. Standard Google Analytics configurations transmit visitor IP addresses to the US without adequate safeguards — exactly the issue the DPC found against Meta (€1.2B fine, 2023).

The safest options:

1. Implement Google Consent Mode v2 with proper consent management
2. Switch to an EU-hosted analytics tool (Plausible, Fathom, Matomo self-hosted)
3. Disable analytics entirely until proper consent infrastructure is in place

Action: Check whether your analytics tool is loading before the visitor accepts cookies.

---

7. SSL and security basics

Required: Best practice; GDPR Article 32 requires "appropriate technical measures."

If your website transmits personal data (any form with name/email) without HTTPS, that is a potential GDPR violation. Ensure:

• Valid SSL certificate on all pages
• No mixed-content (HTTP resources on HTTPS pages)
• Security headers configured (Content-Security-Policy, HSTS)

---

Free website check in 60 seconds

Our scanner tests your cookie banner (including whether rejecting actually stops trackers), checks for your company registration details, analyses your privacy policy, and runs 35+ additional checks — specific to Irish legal requirements.

Check your website for free →

No account required. Results in under 60 seconds.

---

This is technical analysis, not legal advice. Consult a qualified solicitor or data protection advisor for specific legal guidance.