The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Sections 10 (1A) and (1B) of the Data Protection Acts provide that:

"The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and the Electronic Communications networks and Services Regulations of 2003 and to identify any contravention thereof"

These investigations usually take the form of audits of selected organisations. A number of such audits are carried out each year. The aim of  an audit is to identify any issues of concern about the way the organisation deals with personal data and to recommend solutions.

An organisation selected for audit is usually given a number of weeks notice of the audit.  It may be asked to provide  in advance a written report on its data protection practices.  The audit normally includes one or more on-site visits by an audit team from the Office.  During these visits,  the team will meet with selected staff of the organisation.  They will also usually inspect electronic and manual records. At the end of the audit, the team prepares a report which typically includes a set of  recommendations.  The organisation audited is given an opportunity to comment on this before it is finalised.  The Office may follow up later on how these recommendations have been acted on.

Guide to Audit Process - August 2014

This guidance will assist organisations selected for audit by the Office of the Data Protection Commissioner and provide organisations holding personal data with a simple and clear basis to conduct a self-assessment of their compliance with their obligations under Irish Data Protection Law.