Are you now GDPR compliant? How to report a data breach in Ireland

And what enforcement will look like for Irish companies.

In this new era of GDPR, all companies with information on European citizens must comply with the new regulation. The main principle about the General Data Protection Regulation (GDPR), is to protect customers against the misuse of their data by companies. GDPR brings more transparency and safety in relation to the use of data, benefiting both the companies and their customers. In the next paragraphs we will explain the main GDPR principles, enforcement and how to deal in case you need to communicate a data breach.

If your company is not ready yet for the compliance, New Horizons Ireland gathered a couple of useful tips and information that can help you in this process.

8 Data Protection Principles for complying with GDPR

The principles below are based in the GDPR final article and originally organised by the GDPR coalition.

01 – Fair data collection and Processing

02 – Obtain for one or more specified, explicit and lawful purposes

03 – Use and disclose data only in ways compatible with those purposes

04 – Keep it safe and secure

05 – Keep data accurate, complete and up to date

06 – Ensure that the processing is adequate, relevant and not excessive

07 – Retain for no longer than is necessary for the purpose or purposes

08 – Give a copy of his/her personal data to an individual on request

Scenarios where GDPR is applicable

At New Horizons Ireland we have been mentoring people in the new regulation since last year and one of the most important points that we learned is that GDPR evolves the whole company, cannot be a process leaded just for one person or one area. Even though, there is a selection of scenarios where the new regulation is 100% applicable. 

  • EU parent company
  • Personal Data Locally
  • Local Suppliers
  • Staff Training
  • Off-site Storage
  • Trading with Non-EU companies

If you wish to read the full version of those scenarios you can access here in our previous article:

Scenarios where GDPR is applicable

How to communicate a data breach in Ireland

The new era of the GDPR introduces new requirements for organisations to report personal data breaches to the relevant supervisory authority, which in Ireland is the Data Protection Commission. Companies must do it within 72 hours of becoming aware of the breach, it doesn’t matter the level of the risk, the recommendation is always to notify the responsible authorities.

The report can be done by email and before to do it you should have in mind the risk of your data breach. According to the Data Protection Commission in Ireland the risk rating can be classified as below:

  • Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal
  • Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial
  • High Risk: The breach may have a considerable impact on affected individuals
  • Severe Risk: The breach may have a critical, extensive or a dangerous impact on affected individuals.

Because in the first moment you will determine how serious you consider the breach to be for affected individuals, you should bear in mind the impact of the breach on individuals whose data has been exposed. In assessing this potential, you should consider the nature of the breach, the cause of the breach, the type of data exposed, mitigating factors in place and whether the personal data of vulnerable individuals has been exposed.

You can check the all process of notifying a data breach in the Data Protection Commission website by clicking here.


At the Global Privacy Summit, Irish Data Protection Commissioner Helen Dixon gave some indication of how DGPR enforcement will work.

"There will be fines, and they will be significant". "I like to twist it back around to remind everyone what the GDPR is, which is about accountability backed up by ex-post enforcement under Article 83. I think it is quite clear that when we do identify an infringement that's of the gravity, duration and scope that is serious, then we are obliged considerably to administer an administrative fine" said Dixon.

You can read more about this in IAPP's article here.

Get trained

At New Horizons Ireland we provide a wide range of GDPR courses to prepare you and your team. Check it out below:

GDPR Certifications

Certified Information Privacy Professional


The “what” of privacy, and why you need it.

  • Legal
  • Compliance
  • Information Management
  • Data Governance
  • Human Resources

Duration: 2 days


  • Exam
  • IAPP membership
  • Official training

View outline

Certified Information Privacy Manager


The “how” of privacy operations, and why you need it.

  • Risk Management
  • Privacy Operations
  • Accountability
  • Audit
  • Privacy Analytics

Duration: 2 days


  • Exam
  • IAPP membership
  • Official training

View outline

Certified Information Privacy Technologist


The “how” of privacy and technology, and why you need it.

  • Information Technology
  • Information Security
  • Software Engineering
  • Privacy by Design 

Duration: 2 days


  • Exam
  • IAPP membership
  • Official training

View outline

Other Popular GDPR courses

The GDPR Primer for Data Protection Officers - 2 Days

  • The social, historical and legal background leading to the general data protection regulation (GDPR)
  • Principle one: the criteria governing fair, open and transparent processing of personal data
  • The role of the data protection officer (DPO)
  • The remedies, liabilities and penalties available under the gdpr
  • Provisions for specific processing situations
  • Preparing for implementation of the GDPR

Outline and course dates

Please login or register to post comments.

Theme picker



Subscribe to our Newsletter

cheat sheet resources

Subscribe to our Newsletter for all the latest cheat sheets and resources.