Does My Irish Business Need a Privacy Policy? What the Law Actually Says

The short answer is: if your business collects any personal data from individuals, yes — you almost certainly need a privacy policy. But the legal picture is more nuanced than a simple yes or no, and understanding the specifics can save you from costly mistakes.

The Legal Foundation

Two pieces of legislation are particularly relevant for Irish businesses:

1. The General Data Protection Regulation (GDPR) — an EU-wide regulation that has been directly applicable in Ireland since 25 May 2018.
2. The Data Protection Act 2018 — Ireland's national legislation that supplements and gives further effect to GDPR.

Together, these laws impose transparency obligations on any organisation that processes personal data. Articles 13 and 14 of GDPR specifically require you to provide individuals with detailed information about how their data is processed — and a privacy policy is the standard way to fulfil this obligation.

What Counts as "Personal Data"?

Personal data is any information that can identify a living individual, either directly or indirectly. Common examples include:

• Names, addresses, and phone numbers
• Email addresses
• IP addresses and device identifiers
• Location data
• Financial information (bank details, payment card numbers)
• Employee records
• Customer purchase history
• CCTV footage
• Health information

If your business collects any of these — whether from customers, employees, website visitors, or suppliers — you are processing personal data and GDPR applies.

"But I Only Have a Small Business..."

There is a common misconception that GDPR only applies to large companies. This is incorrect. GDPR applies to all organisations that process personal data, regardless of size. A sole trader with a mailing list of 50 people has the same transparency obligations as a multinational corporation.

The DPC has made this clear in multiple guidance documents and has taken enforcement action against small businesses that failed to comply.

That said, some obligations scale with the level of risk. A corner shop with a loyalty card scheme has different risk considerations than a health clinic processing medical records. But the requirement to have a privacy policy is universal.

What Must a Privacy Policy Contain?

Under Articles 13 and 14 of GDPR, your privacy policy must include:

• Identity and contact details of the data controller (your business)
• Contact details of your Data Protection Officer, if you have one
• The purposes for which you process personal data
• The lawful basis for each processing purpose
• Categories of personal data collected (if not obtained directly from the individual)
• Recipients or categories of recipients of the data
• Details of any international transfers of data outside the EEA, including the safeguards in place
• Retention periods for each category of data
• Individual rights: the right of access, rectification, erasure, restriction, data portability, and the right to object
• The right to withdraw consent at any time (where consent is the lawful basis)
• The right to lodge a complaint with the Data Protection Commission
• Whether providing data is a statutory or contractual requirement, and the consequences of not providing it
• Details of any automated decision-making, including profiling

Common Mistakes Irish Businesses Make

1. Using a Generic Template Without Customisation

Downloading a privacy policy template from the internet and publishing it without adapting it to your specific business is a common and risky approach. Your privacy policy must accurately reflect your actual data processing activities. A generic template will almost certainly contain inaccuracies.

2. Burying the Privacy Policy

Your privacy policy must be easily accessible. Best practice is to link to it from:

• Your website footer (on every page)
• Any data collection forms (contact forms, sign-up forms, checkout pages)
• Your email signature or marketing communications
• Employment contracts and staff handbooks

3. Using Legal Jargon

GDPR requires that privacy information be provided in "concise, transparent, intelligible and easily accessible form, using clear and plain language." If your privacy policy reads like a legal contract, it does not meet the standard. Write for your audience — if your customers are everyday consumers, write in everyday language.

4. Failing to Update the Policy

Your privacy policy is not a set-and-forget document. It should be reviewed and updated whenever:

• You start collecting new types of personal data
• You begin sharing data with a new third party
• You change your data retention periods
• You adopt new technologies that affect data processing
• There are changes to relevant legislation or DPC guidance

5. Ignoring Employee Data

Many businesses focus their privacy policy on customers but forget that they also process employee personal data. You need a separate privacy notice (or a section within your main policy) that addresses how you handle employee data, including recruitment data, payroll information, performance records, and CCTV monitoring in the workplace.

What About Cookies?

Cookie notices and privacy policies are related but distinct. The requirement to obtain consent for non-essential cookies comes from the ePrivacy Directive, transposed into Irish law by SI 336 of 2011 (the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011).

Your cookie notice should explain:

• What cookies your website uses
• The purpose of each cookie
• Whether cookies are first-party or third-party
• How users can manage or refuse cookies

Many businesses combine their cookie information with their privacy policy, which is acceptable as long as the information is clearly presented.

What Happens If You Do Not Have a Privacy Policy?

Failing to provide the required transparency information is a breach of GDPR. The potential consequences include:

• Administrative fines: up to €20 million or 4% of annual global turnover
• Enforcement notices: the DPC can order you to bring your processing into compliance
• Complaints: individuals can lodge complaints with the DPC, triggering an investigation
• Reputational damage: data protection failures are increasingly reported in the media
• Civil claims: affected individuals can seek compensation for material or non-material damage

In practice, the DPC's approach to smaller businesses tends to start with guidance and corrective measures rather than immediate fines. But this is not guaranteed, and repeated or wilful non-compliance will attract stronger penalties.

Practical Steps to Get Compliant

1. Audit your data: list all the personal data your business collects, where it is stored, who has access, and who you share it with
2. Draft or update your privacy policy: ensure it covers all the required information listed above
3. Make it accessible: publish it prominently on your website and reference it in your forms and communications
4. Review regularly: set a calendar reminder to review your policy at least once a year
5. Use our tools: ComplianceKit's privacy policy generator creates a customised policy based on your specific business activities, ensuring you meet all DPC requirements

The Bottom Line

Every Irish business that processes personal data needs a privacy policy. It is not optional, it is not just for large companies, and a generic template is not sufficient. The good news is that creating a compliant privacy policy does not have to be complicated or expensive — it simply requires an honest assessment of your data practices and clear communication with the people whose data you hold.