GDPR and Irish Legal Practices: The DPC Enforcement Reality in 2026
The Data Protection Commission is no longer primarily a complaints-reactive body. It is conducting proactive sectoral audits, and Irish professional services firms are on that audit schedule.
For solicitors, the risk is concentrated in three areas: the use of AI tools by staff with client data, the status of data processing agreements with technology vendors, and the management of subject access requests. None of these require a client complaint to trigger an investigation.
Enforcement
DPC Enforcement Posture in 2026
Under the Data Protection Act 2018 (implementing GDPR), the DPC has authority to conduct on-site inspections, require production of records, and impose administrative fines of up to €20 million or 4% of global annual turnover under Article 83 GDPR. For a solicitors' practice, an investigation does not require a complaint. The DPC can initiate an inquiry on its own initiative under s.110 of the Data Protection Act 2018.
The DPC's published enforcement priorities include professional services firms. The trigger is typically one of three things: a complaint from a client or former client; a personal data breach notification; or the DPC's own proactive sectoral review. Practices cannot assume they are too small to be investigated. The DPC has published findings against micro-businesses.
AI Tools
Staff Use of Public AI Tools: The Open Exposure
This is the area where the gap between practice and compliance is widest across Irish legal practices in 2026.
When a member of staff copies client correspondence, contract terms, or file notes into a public AI assistant — ChatGPT, Gemini, Copilot on a personal account — they are transferring personal data to a third-party data processor without a written Data Processing Agreement, without a legal basis for that transfer under Article 6 GDPR, and potentially to a processor operating outside the European Economic Area.
Each of these is a standalone GDPR violation. Together, they constitute a systemic compliance failure.
What the DPC will look for on inspection
- —A written, dated policy prohibiting the use of non-approved AI tools with client data — acknowledged in writing by all staff.
- —Documentation that approved AI tools (if any) are contracted under Article 28 GDPR with a Data Processing Agreement in place.
- —Evidence that the firm has assessed and documented its AI-tool risk landscape, including tools used by individual staff members outside formal IT procurement.
- —A data register identifying all third-party processors, the data they handle, and the legal basis for processing.
The Law Society of Ireland's practice guidance is clear: client data must not be processed using tools that have not been assessed, contracted under Article 28 GDPR, and approved. A general prohibition circulated once by email does not constitute a documented policy. It must be a formal written policy, acknowledged in writing by each member of staff.
SAR Obligations
Subject Access Requests: The One-Calendar-Month Clock
Under Article 15 GDPR, a data subject is entitled to confirmation of whether personal data is held, a copy of that data, and information about how it is processed. The response deadline is one month from receipt of the request, extendable by a further two months for complex requests — but the extension must be communicated to the requester within the first month.
In a solicitors' practice, SARs are frequently submitted by former clients or opposing parties in litigation. They are not optional, and they cannot be refused on the grounds that the files are voluminous or that material is held by a third-party storage provider.
Practices must have a documented SAR procedure: a designated person who receives and processes requests; a process for identifying all data held across all systems; a review stage to identify any applicable exemptions (legal professional privilege, third-party data under Article 15(4)); and a log of all SARs received, with dates and responses.
Data Retention
Retention Schedules: Two Obligations to Reconcile
The Law Society of Ireland's Guide to Good Professional Practice provides guidance on file retention periods. For most conveyancing and litigation files, the general rule is seven years from conclusion of the matter. Trust files, wills, and probate matters require longer retention.
For AML-regulated solicitors, the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 s.55 mandates retention of AML records for a minimum of five years from the date the business relationship ends or the transaction is completed.
The GDPR principle of storage limitation under Article 5(1)(e) requires that data is not retained beyond the period necessary for the purpose for which it was processed. These two requirements — regulatory minimum retention and GDPR storage limitation — must be reconciled in a formal retention schedule. The schedule must specify the retention period for each category of record, the legal basis, and the destruction process on expiry. A retention schedule that has not been reviewed since before 2025 will not reflect the current regulatory position.
Article 28 GDPR — Data Processing Agreements
Every technology vendor that processes personal data on your firm's behalf requires a written Data Processing Agreement under Article 28 GDPR. This includes document management systems, case management software, cloud storage providers, email hosting, and any AI tools used with client data. Where a vendor is based outside the EU/EEA, additional transfer safeguards are required under Chapter V GDPR (standard contractual clauses or adequacy decision). The absence of a DPA is a compliance failure independent of any breach.
Immediate Action Checklist
Four tasks. Each addresses a specific area the DPC examines on inspection.
- —Audit all technology vendors processing client data — confirm a written Article 28 DPA is in place for each.
- —Issue and enforce a written policy prohibiting use of non-approved AI tools with client data. Obtain written staff acknowledgement.
- —Establish a documented SAR procedure with a designated contact, a defined process for identifying data held across all systems, and a response log.
- —Produce a formal data retention schedule reconciling Law Society guidance, AML Act s.55 obligations, and the GDPR storage limitation principle — reviewed and dated within the last 12 months.
The DPC's proactive audit programme does not wait for a breach. It assesses whether the structures that prevent breaches are in place.
Oibrio monitors Law Society guidance, DPC enforcement and the AML inspection cycle so your practice stays ahead of the next supervisory visit.