GDPR. It still makes Irish business owners nervous. But here’s the thing — for most small businesses in Ireland, compliance isn’t as complicated as the consultants want you to believe.
At its core, GDPR says: only collect data you need, keep it safe, tell people what you’re doing with it, and delete it when you don’t need it anymore. That’s basically it.
Here’s your practical checklist:
Know what data you hold. Client names, emails, phone numbers, invoices — make a simple list. You don’t need a fancy audit, just know what’s where. Is it in your email? On a shared drive? In a filing cabinet?
Have a privacy policy. If you have a website, you need one. It should explain what data you collect and why, in plain English. You don’t need a solicitor — clear, honest language is what the DPC wants to see.
Secure your data. Strong passwords, MFA on your email, encrypted laptops, regular backups. If a laptop gets nicked from the car, can someone access your client data? If yes, fix that today.
Don’t keep data forever. Old client records from ten years ago that you’ll never look at again? Delete them or archive them with a clear retention policy. Revenue requires you to keep financial records for six years — beyond that, there’s usually no reason to hold onto personal data.
Have a breach plan. If data gets compromised, the DPC expects you to report serious breaches within 72 hours. Hopefully you’ll never need to, but having a plan ready is part of being compliant.
The Data Protection Commission isn’t hunting small businesses. They’re focused on the tech giants. But having your basics covered protects your clients, your reputation, and gives you peace of mind. If you’re not sure where you stand, get in touch and I’ll do a quick review of your setup.
Part of GDPR compliance is securing your accounts with MFA and having proper IT support in place. I help businesses across Tuam, Claregalway, and Athenry get their data protection basics sorted.