Back to Blog

DPC Fines Ireland 2026 — What Every SME Owner Needs to Know

ComplianceKit Team1 March 20266 min read

DPC Fines Ireland 2026 — What Every SME Owner Needs to Know

Ireland's Data Protection Commission (DPC) is the national supervisory authority responsible for enforcing GDPR and the Data Protection Act 2018. Headquartered in Dublin with regional offices in Portarlington, the DPC has grown significantly in both budget and staffing since GDPR came into force — and its enforcement activity has grown to match.

This article examines the DPC's recent enforcement trends and what they mean for Irish SMEs.

The DPC's Evolving Approach

In the early years of GDPR, the DPC was frequently criticised — both domestically and by other EU data protection authorities — for being slow to act, particularly against large technology companies. That narrative has shifted considerably.

The DPC has issued some of the largest fines in European data protection history, including landmark decisions against major social media platforms and technology companies. But what many Irish business owners do not realise is that the DPC's enforcement activity extends well beyond big tech.

In 2025 and into 2026, the DPC has increasingly focused on:

  • SMEs and domestic businesses that process personal data without adequate safeguards
  • Public sector bodies including local authorities and healthcare providers
  • Direct marketing violations, particularly unsolicited electronic communications
  • Data breach handling, especially delayed or inadequate breach notifications

Notable Enforcement Actions

While the headline-grabbing fines tend to involve multinational tech companies, the DPC has also taken action against smaller organisations. Recent enforcement themes include:

Unsolicited Marketing Communications

The DPC has received thousands of complaints about unsolicited marketing emails, texts, and phone calls. Under SI 336 of 2011 (Ireland's implementation of the ePrivacy Directive), sending marketing communications without proper consent is an offence that can result in prosecution.

The DPC has successfully prosecuted businesses of all sizes for sending unsolicited marketing messages. Fines in these cases have typically ranged from €1,000 to €50,000, but the reputational impact can be far greater.

Lesson for SMEs: ensure you have valid opt-in consent before sending any marketing emails or text messages. Do not purchase mailing lists. Do not add people to your mailing list just because they gave you their business card.

Inadequate Data Breach Notification

GDPR requires that data breaches likely to result in a risk to individuals' rights and freedoms be reported to the DPC within 72 hours. The DPC has reprimanded and fined organisations that:

  • Failed to report breaches within the required timeframe
  • Did not have adequate breach detection procedures
  • Failed to notify affected individuals when required
  • Did not maintain a register of breaches

Lesson for SMEs: have a documented data breach response plan. Ensure all staff know how to recognise and report a potential breach internally. Do not wait to see if a breach "becomes a problem" — the 72-hour clock starts when you become aware of the breach.

Excessive Data Collection and Retention

The DPC has investigated businesses that collect more personal data than necessary for their stated purposes, or that retain data long after it is no longer needed. The principles of data minimisation and storage limitation are core to GDPR, and the DPC takes them seriously.

Lesson for SMEs: only collect the personal data you actually need. Define and document retention periods for each category of data. Implement a regular data deletion schedule.

Insufficient Access Request Responses

Under GDPR, individuals have the right to request a copy of the personal data you hold about them (a Subject Access Request, or SAR). You must respond within one month. The DPC has investigated numerous complaints where organisations:

  • Failed to respond to SARs at all
  • Responded outside the one-month deadline
  • Provided incomplete responses
  • Charged unlawful fees for processing requests

Lesson for SMEs: have a documented process for handling SARs. Train your staff to recognise a SAR — it does not need to mention GDPR or use specific legal language. Any request from a person to see the data you hold about them is a SAR.

The Fine Structure Under GDPR

GDPR provides for two tiers of administrative fines:

Lower Tier — Up to €10 million or 2% of annual global turnover

Applies to infringements of obligations relating to:

  • Data controllers and processors (Articles 8, 11, 25-39, 42, 43)
  • Certification bodies (Articles 42, 43)
  • Monitoring bodies (Article 41)

Upper Tier — Up to €20 million or 4% of annual global turnover

Applies to infringements of:

  • Basic principles for processing, including conditions for consent (Articles 5, 6, 7, 9)
  • Data subjects' rights (Articles 12-22)
  • International transfers (Articles 44-49)
  • Non-compliance with an order by the DPC

For an Irish SME with annual turnover of €500,000, the theoretical maximum fine under the upper tier would be €20 million — clearly a disproportionate amount. In practice, the DPC takes the principle of proportionality into account and fines for SMEs are significantly lower. But even a fine of a few thousand euro, combined with the cost of remediation and reputational damage, can be a serious blow to a small business.

Factors the DPC Considers When Setting Fines

Article 83(2) of GDPR lists the factors the DPC must consider when deciding whether to impose a fine and how much it should be:

  • The nature, gravity, and duration of the infringement
  • Whether the infringement was intentional or negligent
  • Any actions taken to mitigate the damage
  • The degree of responsibility, taking into account technical and organisational measures in place
  • Any previous infringements
  • The degree of cooperation with the DPC
  • The categories of personal data affected
  • How the DPC became aware of the infringement (self-reported vs. complaint)
  • Any other aggravating or mitigating factors

This means that demonstrating good faith — having policies in place, training staff, responding promptly to issues — can significantly reduce any penalty, even when things go wrong.

Practical Steps to Protect Your Business

1. Conduct a Compliance Audit

Assess where your business currently stands. Identify gaps between your current practices and GDPR requirements. Prioritise the highest-risk areas.

2. Document Everything

The DPC places great weight on documentation. Maintain records of:

  • Your processing activities (ROPA)
  • Consent records
  • Data Protection Impact Assessments
  • Breach logs
  • Training records
  • Data Processing Agreements with third parties

3. Implement Appropriate Security Measures

You do not need enterprise-grade security, but you do need measures that are appropriate to the data you process:

  • Strong passwords and two-factor authentication
  • Encrypted communications
  • Regular software updates
  • Access controls
  • Secure disposal of old equipment and paper records

4. Train Your Team

Staff awareness is your first line of defence. A simple annual training session covering the basics of data protection can dramatically reduce your risk of a breach.

5. Respond Promptly to Issues

If a breach occurs, report it within 72 hours. If you receive a SAR, respond within one month. If the DPC contacts you, cooperate fully and promptly. Delay and obstruction will always make things worse.

6. Get the Right Tools

You do not need to hire a solicitor or a dedicated DPO to achieve basic compliance. Tools like ComplianceKit provide Irish businesses with practical, affordable compliance resources — from policy generators to compliance checklists — designed specifically for the Irish regulatory environment.

Looking Ahead

The DPC's budget and headcount continue to grow, and its enforcement posture is only becoming more assertive. The EU's increased focus on cross-border cooperation between data protection authorities means that standards are converging upward across Europe.

For Irish SMEs, the message is clear: GDPR compliance is not optional, it is not just for big companies, and the DPC is actively looking beyond big tech. The good news is that the bar for basic compliance is achievable for any business willing to invest a modest amount of time and effort.

Start by understanding your obligations. Then take practical, documented steps to meet them. And if you need help, we are here for exactly that.

Ready to get compliant?

Start your free assessment and get a personalised GDPR compliance report for your Irish business in under five minutes.

Start Your Free Assessment

Related Articles

10 March 2026

GDPR Checklist for Irish Businesses 2026 — The Complete Guide

A practical, step-by-step GDPR compliance checklist tailored for Irish SMEs. Covers the Data Protection Commission's latest guidance, lawful bases, and the key actions every business must take in 2026.

6 March 2026

Does My Irish Business Need a Privacy Policy? What the Law Actually Says

Wondering whether your Irish business is legally required to have a privacy policy? This article breaks down the GDPR and Irish Data Protection Act requirements in plain English.