Listen to our GDPR podcast

GDPR – What is it? Who has to comply? What does this mean for my business? Accountancy Ireland talks to Peter Bolger of LK Shields, Gavin Doherty from 247 Meetings and Niall Tierney from Tierney IP to get your questions answered in this special GDPR podcast.

Latest GDPR articles


Cross-border data flows enable trade. Many businesses rely on the ability to transfer personal data about their customers or employees to be able to offer goods and services.  Any restriction on the ability of data to flow freely would act as a trade barrier. Countries in the EU are bound by the General Data Protection Regulation (GDPR) which ensures that personal data can be transferred safely across-borders. Will Brexit impact upon this? What is Data Protection law? Data protection law covers situations where information about somebody (‘personal data’) is used by another person or organisation, other than in a purely personal context.  Legislation regulates the ways and circumstances in which personal data might be processed. The General Data Protection Regulation (GDPR) is the legislation which applies to most kinds of processing of personal data (other than for personal context), across the EEA (the EU plus Iceland, Norway, and Liechtenstein). GDPR means that data controllers within the EU are not allowed to transfer personal data outside of the EU/EEA unless the high standards that apply under GDPR are maintained. What is personal data? Personal data covers things like name, date of birth, email address, address, phone number, location data or physical characteristics. It doesn’t have to be in written form. It can include photos, audio or video recordings that are processed electronically or as part of a filing system. Processing data means using personal data in any way such as collecting, storing, retrieving, consulting and disclosing. What type of data is transferred between the EU and UK? To assess if you are transferring personal data between the UK and EU (i.e. cross-border) consider the following: Are you outsourcing your HR, IT or payroll function to a cross-border organisation? Are you using a cross-border server or a server in the cloud to store personal data? Are you using software (such as for email or databases) provided by a cross-border company which may involve transferring personal data to a cross-border server? Are you using a cross-border marketing company to send communications to your customers? Is your pension scheme based cross-border? Why is the ability to exchange data so important? Cross-border data flows enable trade. Many businesses rely on the ability to transfer personal data about their customers or employees to be able to offer goods and services or even to run cloud-based email or file-storage systems.  Any restriction on the ability of data to flow freely would act as a trade barrier. What will happen after Brexit? During the transition period, the EU will continue to treat the UK as if it were a Member State and data can continue to flow between the UK and the EU/EEA.  When the transition period ends, the UK will not automatically benefit from this free flow of data. Brexit, particularly a no-deal Brexit, will have an impact on the data protection obligations of UK and EU/EEA data controllers.   When preparing for a no-deal exit, the UK committed to retain GDPR legislation in domestic law at the end of the transition period but will have the independence to keep the framework under review.  This means that the UK government will automatically recognise the EU as adequate for data transfers. Outbound transfers of data from the UK to the EU/EEA will not therefore be restricted as long as UK data protection rules are followed. The EU did not reciprocate, however, and will treat the UK as a third country until an adequacy decision is made. To ensure data flows continue after Brexit, the UK would therefore need to secure an adequacy decision from the European Commission.  In the meantime, appropriate safeguards are needed for data transferring into the UK from the EU/EEA. What is an ‘adequacy decision’? The European Commission may grant an ‘adequacy decision’ to allow cross-border transfers of personal data from the EU/EEA to the UK because the UK has been found to have an adequate level of data protection safeguards when compared to the EU.  This means that once the UK has been awarded an adequacy status, information can pass freely between the UK and the EU/EEA without further safeguards being required. What happens if a decision on adequacy is not reached by 31 December 2020? The transition period will end with no arrangements to ensure adequate levels of data protection in place. Therefore, the UK will be treated as any other ‘third country’ (any country outside the EU/EEA) without an adequacy decision.  This means that the UK and EU/EEA will exchange data based on their individual international transfers rules. At the moment the UK and EU/EEA both have similar rules based on the GDPR, but this might change in time. For Irish companies transferring data to the UK If a party in the EU/EEA sends personal data to someone who is outside of the EU/EEA (including the UK), they must comply with GDPR rules on international transfers of personal data. Therefore, specific safeguards will need to be put in place to ensure adequate protection for data. The GDPR sets out a number of mechanisms for the transfer data to third countries.  The most common of these mechanisms is ‘standard contractual clauses’. Standard Contractual Clauses The standard contractual clauses (SCC) are a set of standard contractual terms and conditions to which the data controller and recipient or data processor both sign up. Both sides give contractually binding commitments to protect personal data in the context of the transfer from the EU/EEA to a third country. For example, this can be done by putting in place a new/stand-alone contract between an Irish- based controller and a UK based recipient. More information The Data Protection Commission in Ireland has set out the following guidance on data and Brexit: Know your data – Brexit and Data Protection Transfers of Personal Data from Ireland to the UK in the event of a no-deal Brexit For UK companies transferring data to the EU/EEA There are currently no changes to the way you send personal data to the EU/EEA.  The Information Commissioner’s Office in the UK has set out some further guidance. The HMRC  has also released data-related guidance.  

Nov 18, 2020

It is just over one year since GDPR went live, and the new regulations and those responsible for enforcing them are flexing muscles in landmark, high profile cases. The launch may be behind us but GDPR is now an everyday reality. The main way to ensure compliance is to stay informed. We have developed a special, online interactive course in collaboration with legal experts from ByrneWallace to help you with this. We provide all the information and resources in one place that you, as an accountant, need to ensure your firm or organisation remain compliant. Interactive and engaging, GDPR for accountants - a practical guide to ongoing compliance, provides an understanding of and templates for policies and practices that should be implemented.  The course is entirely online allowing flexibility with where, when and how you work. All content is on-demand, meaning you can access when it suits you.  We have created pre-recorded video content and easy to understand written content to get you up to speed on this all important area crucial for any business from the sole trader to the state organisation and multinational corporation. We are offering a special offer as we launch this course:  For the month of September, we have an introductory discount which means you will have access for six months for just €50. Not only will you avail of a great deal saving you €25 off the normal fee, you will be awarded three CPD hours too. For more information and to book, click here. Use the discount code gdprdisc at the checkout to avail of this special offer only available for the month of September.   

Aug 30, 2019
The Data Protection Commissioner (DPC) has also issued some very useful pieces of guidance for readers based in the Republic of Ireland ( and ) , as has the Information Commissioner’s Office (ICO) for those based in the UK and Northern Ireland ( Members are, therefore, advised to regularly check the CAI, DPC and/or ICO websites for the latest information and guidance in this area.