Regulated Irish firms hold a lot of sensitive personal data. ID documents, PPSNs, family trust structures, tax references, source-of-wealth evidence — the CDD packs required by the AML regime are, by their nature, GDPR-rich. One breach, one misdirected email, one stolen laptop, and your firm is on the clock.
The 2026 enforcement picture
The Data Protection Commission has issued billions in fines since GDPR took effect. For most of that time, the headline numbers went to the big platforms. That has changed. DPC enforcement in the last 18 months has increasingly focused on:
- Professional services firms with poor DSAR response processes
- SMEs with no breach response plan
- Firms using cloud storage without adequate data processing agreements
- Any firm involved in a reportable breach that failed to notify within 72 hours
What every Irish regulated firm needs
1. A Record of Processing Activities (ROPA)
Under Article 30 GDPR, most Irish firms must maintain a ROPA. For regulated firms, this is also your map to understanding where you hold what data, which matters for both GDPR and AML record-keeping.
2. A Data Subject Access Request (DSAR) process
Clients (and former staff) have 30 days to receive their data. Firms without a clear DSAR process routinely miss this deadline. The fix is a documented workflow, a nominated owner, and staff who know to route DSARs to that owner immediately.
3. A breach response plan
The clock starts when the firm becomes aware of the breach. You have 72 hours to notify the DPC (unless the breach is unlikely to result in a risk to individuals). A pre-prepared template is the single biggest factor in meeting the deadline.
4. Staff training
Almost every breach starts with a human mistake. Phishing, misdirected emails, lost devices, improperly shared files. Training — not technology — is the strongest control.
Pre-prepared DPC notification template
Subject: Personal Data Breach Notification – [Firm Name]
1. Nature of the breach: [confidentiality / integrity / availability — with one-line description]
2. Categories and approximate number of data subjects concerned: [e.g., 120 client records]
3. Categories and approximate number of personal data records concerned: [e.g., names, addresses, PPSNs, AML CDD documents]
4. Likely consequences: [e.g., identity fraud risk]
5. Measures taken or proposed: [containment, investigation, notification]
6. Contact point for further information: [DPO / nominated contact]
GDPR and AML: the interaction
Irish regulated firms often ask whether GDPR constrains their AML obligations. The short answer is no — AML obligations override. Recital 43 of the 4th AML Directive is explicit that AML processing is a public-interest task. That said, the data collected for AML must still:
- Be limited to what is necessary
- Be held securely
- Be kept for no longer than is required (six years for AML records post-relationship end)
- Be disposed of securely afterwards
Training is still the weakest link
The DPC keeps saying it, and it keeps being true: the firms that end up in enforcement decisions are the ones whose staff didn't know the rules. A phishing click, a BCC instead of a BCC, a forgotten encryption step — each can trigger a reportable breach.
Our Cybersecurity & GDPR course is designed specifically for Irish regulated firms. Forty minutes, phishing simulator, DPC-aligned breach response training.
Book a 15-minute demo to see how it works.