GDPR Isn't Going Away
If you have a website, GDPR applies to you. It doesn't matter if you're a one-person business or a large company. If you collect any personal data from visitorsโeven just an email address or a form submissionโGDPR rules apply. Ireland's Data Protection Commission (DPC) is actively enforcing these rules, and fines have been significant.
The good news: getting GDPR right isn't complicated. It just requires following a few core principles and being transparent with your visitors.
The Five Things Every Irish Website Needs
- A privacy policy that actually explains what you do with data
- Cookie consent that works properly
- A way for people to request or delete their data
- A data processing agreement if you use third-party tools
- Incident response procedures if something goes wrong
The DPC Ireland has published detailed guidance on GDPR compliance. Their website includes practical examples and case studies showing how Irish businesses can implement GDPR correctly.
Privacy Policies That Actually Work
Your privacy policy isn't legal boilerplate. It's a real explanation of how you handle data. Many websites copy generic templates and call it done. The DPC doesn't like that.
Your privacy policy must clearly explain:
- What personal data you collect (names, emails, IP addresses, etc.)
- How you collect it (forms, cookies, analytics)
- Why you collect it (legal basis)
- How long you keep it
- Who you share it with (payment processors, email services, etc.)
- How people can request or delete their data
Plain language privacy policies that match your actual practices build trust. Users appreciate honesty. If you use Google Analytics, Mailchimp, or other tools, clearly say so.
Cookie Consent: The Biggest Mistake
Most Irish websites get cookies wrong. Here's what happens: a banner pops up with an "I Agree" button that's big and obvious, and a "Settings" button that's tiny and grey. Visitors feel forced to accept.
The DPC has made it clear: consent must be freely given. That means:
- Accept and Reject buttons must be equally prominent
- Pre-ticked boxes are not allowed
- Dark patterns (manipulating people into accepting) are illegal
- Consent should be easy to withdraw at any time
- Analytics and marketing cookies need separate consent from essential cookies
| Cookie Type | Requires Consent? | Examples |
|---|---|---|
| Essential | No | Session cookies, security, language preferences |
| Analytics | Yes | Google Analytics, Hotjar, Mixpanel |
| Marketing | Yes | Facebook Pixel, LinkedIn Ads, Google Ads |
| Functional | Maybe | Depends on purposeโcheck your tool's documentation |
Google Analytics and similar tools may not be GDPR compliant without proper configuration. Use anonymization settings and ensure your DPA is in place. Many Irish businesses use these tools without realizing the compliance requirements.
Data Processing Agreements
If you use Google Analytics, Mailchimp, Stripe, Shopify, or any third-party service that processes customer data, you need a Data Processing Agreement (DPA) with them. Most platforms offer theseโthey're usually in your settings or available on request.
Keep a list of every tool you use that handles customer data. Check each one has a DPA in place. This isn't optional if you're GDPR compliant.
Common Tools That Need DPAs
What Happens If Someone Asks for Their Data?
Under GDPR, people have the right to request their data (called a Subject Access Request). You must respond within 30 days. If you don't have a system in place to do this, you're already breaking the law.
- Set up a process: who receives the request, how you gather the data, how you verify identity
- Document everythingโkeep records of when requests were made and what you provided
- Have someone responsible for responding (even if it's just you)
- Be prepared to explain if you can't provide something
Not responding to data requests, or taking longer than 30 days. The DPC tracks this closely and fines are substantial. This is one of the most common reasons Irish businesses get fined.
Common Mistakes the DPC Is Cracking Down On
- Pre-ticked consent boxes (not allowed)
- Consent banners where Reject is harder to find than Accept
- No privacy policy, or a privacy policy that's blank/unfinished
- Using data for purposes not mentioned in your privacy policy
- Keeping data longer than necessary
- No clear way for people to contact you about their data
For more on protecting your website, see our guide on legal pages for Irish websites.
How Much Can the DPC Fine My Business for GDPR Breaches?
The DPC Ireland can issue fines up to 20 million EUR or 4% of global annual turnover (whichever is higher) for serious violations. Even minor breaches result in significant penalties. See our guide to legal requirements for Irish websites for detailed information on compliance and risk mitigation.
Is Google Analytics GDPR Compliant for Irish Websites?
Google Analytics can be GDPR compliant, but only with proper configuration. You need to anonymize IP addresses, implement server-side tracking where possible, and have a valid DPA. Many Irish businesses use Google Analytics without these configurations, putting themselves at legal risk. Refer to SEO statistics for Ireland resources for guidance on compliant analytics implementation.
Ready to Discuss Your Project?
Get in touch to talk about your website, SEO, or digital marketing needs.
Get in Touch โ๐ Related Resources
Getting Started: A Checklist
- Write or update your privacy policy (be clear and honest)
- Audit your cookies: which ones are essential, which need consent
- Implement a consent banner that gives real choice
- Get DPAs in place with every third-party tool
- Document your data handling process
- Designate someone responsible for GDPR compliance
- Test your cookie consent to make sure Reject actually works
Written by
Founder of Web Design Ireland. Helping Irish businesses make smart website investments with honest, practical advice.