It’s one year until the introduction of the EU’s substantial overhaul of data protection laws, the General Data Protection Regulation (GDPR), but only 14% of Irish SMEs have begun getting ready, according to a new study for the Data Protection Commissioner (DPC) conducted by Amárach Research.

The DPC has embarked on a significant information campaign to help businesses and organisations, particularly SMEs, in their preparations for the introduction of the GDPR.

With the launch of a GDPR focused website (, the DPC is putting in place a critical resource and support system as organisations prepare to be GDPR-ready.

The new website will include guidance material to educate and guide organisations on what the GDPR will mean for them and how they can plan for its implementation.

The DPC has produced a 12-step guide to getting ready, as well as a video and other downloadable materials, and will continue to add to this published guidance over the coming months.

The DPC will also continue to undertake a significant number of speaking engagements and meetings with industry and sector representatives to build awareness of the new law.

Data Protection Commissioner, Helen Dixon said, “Data protection laws exist to ensure fair play for everyone in how their identity and personal data is used by big corporations, governments and all sort of organisations and businesses. The GDPR is a game- changing overhaul of our current data protection laws. It will impact every type of company and organisation regardless of their size and require many of them to take significant action well before May 25th 2018.

“The DPC is here to assist companies and organisations understand the steps they need to take on their journey towards GDPR-readiness. Through our engagement with industry and organisations from all sectors, as well as our new website which will be regularly updated with new guidance, our aim is to drive awareness of the new law by providing information and guidance that will assist organisations to be GDPR-compliant by May 2018.”


The survey found that just over a quarter of businesses (26%) did not know when they expect to begin their GDPR-implementation plan, with this number increasing to 27% for businesses located in Munster and 39% for micro enterprises (1-9 employees).

Despite a high level of awareness of GDPR (69%) among businesses in Munster, just 27% admitted to being aware that it will be effective from 25th May 2018. Medium enterprises (50-249 employees) and SMEs in Dublin were the most likely to be aware (49% and 42% respectively).

With one year to go, the survey found that 67% of companies have yet to carry out an assessment of all the personal data they hold, but 37% of businesses in Munster have already carried out an assessment. Medium-size enterprises (39%) and SMEs in Dublin (40%) are the most likely to have assessed this.

57% of Irish SMEs said they have still to assess why they hold personal data and 64% said they had not assessed how long they needed to keep this data. 42% of businesses in Munster have assessed why they hold personal data and 40% have assessed how long they need to hold the data.

In terms of the changes GDPR will bring, 83% of businesses were unable to name any changes for their organisation and three in five (59%) admitted to being unaware of the large-scale fines that could be imposed for non-compliance with just 40% of businesses in Munster being aware.

While 73% of Irish SMEs surveyed did not know whether they would be required to appoint a Data Protection Officer, this number rises to 90% among micro enterprises. 21% of businesses in Munster said that they were aware of the need to appoint a Data Protection Officer.

Encouragingly, 51% of Irish SMEs already have a staff member in place who is responsible for overseeing compliance with data protection, with SMEs in Dublin (58%) and Munster (58%) the most likely to have someone in place.

The message is that you need to start preparing for GDPR sooner rather than later – further information at