Data Protection for Business: Key Trends for Managers and Leaders in 2026

Data protection has been a priority for business leaders and managers since the introduction of the General Data Protection Regulation (GDPR) in May 2018. The potential for large fines of up to €20 million or 4% of global turnover was sufficient for boards and senior teams to ensure it remained high on the corporate agenda.

By Steven Roberts

The modern economy has become even more dependent on the processing of data in the eight years since the GDPR came into effect. In this short article, we will look at some of the key trends managers should be mindful of in 2026.

Artificial Intelligence

The use of artificial intelligence (AI) technologies offers great potential for productivity and efficiency gains. A recent survey by PwC found 70% of companies were planning to increase their AI budgets in 2026. Many of these AI tools process personal data and can pose data privacy risks in areas such as transparency and accuracy. The ‘black box’ nature of the technology means it is often unclear what personal data is being processed and how particular decisions or outcomes have been reached. This is a particular concern where decisions can potentially have legal effects for individuals. 

One of the best mechanisms to ensure GDPR compliance is undertaking a data protection impact assessment (DPIA) for any new AI projects that involve the processing of personal data. The GDPR requires a DPIA to be undertaken in certain high-risk instances; however, it is increasingly seen as a best practice tool that demonstrates transparency and accountability on the part of the company. This aligns with the Regulation’s principle of data protection by design and default and ensures data privacy is considered from the outset. Importantly for firms, the use of a DPIA can often identify risks at an early stage. This allows time for mitigating options to be considered and can reduce costly delays and rollbacks at a later stage in the project.

New Legislation

One of the biggest challenges for Irish firms in 2026 is dealing with a wide range of new and recent EU legislation. The EU’s Digital Decade has introduced laws in areas such as artificial intelligence, cybersecurity, operational resilience and data governance. Companies and their compliance and legal teams must assess their responsibilities and understand the interplay between these laws. For example, the AI Act and the GDPR both have a requirement for ‘transparency’; however, this can have subtly different meanings in the context of each law.

Boards and senior management should regularly assess their compliance teams from a resourcing and skillset perspective. The range of new laws places a considerable burden on these teams. The potential for burnout or governance inefficiencies is significant. SMEs and micro-businesses, who typically rely on a handful of senior leaders, should consider external expertise to supplement existing skillsets. 

Regulatory Uncertainty

The US and UK administrations have taken a different regulatory approach to the European Union. They have sought to reduce the administrative burden on firms to encourage innovation and a stronger start-up culture, particularly in high-growth areas such as AI. Recognising this threat, the EU commissioned the Draghi Report in 2024 to identify ways in which competitiveness could be improved. One of the outcomes is a proposed Digital Omnibus – a series of measures to reduce regulatory pressures on smaller and mid-sized organisations. If approved, it would have an impact on a range of EU laws, including the GDPR and the AI Act. Business leaders should monitor the Omnibus’s progress closely; it is unlikely to be finalised until late 2026 or early 2027 and may undergo significant change in the interim.

Businesses trading outside the EU/EEA must also keep track of changes in local legislation in those international markets. The UK’s Data (Use and Access) Act, for example, introduced a number of data protection changes that companies will need to take account of. Thankfully for Irish firms trading into that jurisdiction, the EU recently extended its adequacy decision for a further six years to December 2031, deeming the UK to have a data privacy regime that is essentially equivalent to the GDPR.

Fines, Penalties and Non-Material Damage

The introduction of the GDPR caused uncertainty for many firms, who were unsure of the risk profile for their industry and sector. Since 2018, fines have been placed on businesses of all sizes. However, the largest penalties and the core focus of supervisory authorities’ regulatory activity are primarily towards technology firms that process personal data on a very large scale. Ireland’s Data Protection Commission has been at the forefront of this activity, with its €1.2 billion fine of Meta in 2023 the largest so far issued under the Regulation. 

GDPR also introduced the right of individuals to seek compensation for non-material damage arising from breaches of the Regulation. Compensatory amounts have so far been very low. The Irish Supreme Court recently noted that those making such claims could not expect anything other than very modest awards.

The Potential for Directors’ Liability

EU supervisory authorities have criticised failings in companies’ senior leadership relating to oversight of data privacy. In 2024, the Dutch authority announced it was investigating whether directors of Clearview AI could be held personally liable for breaches of the GDPR. A recent High Court judgement found a director personally liable for a breach of the Data Protection Acts 1988 and 2003. Boards and senior management teams should monitor developments in this area closely. 

What Steps can Irish Businesses Take?

There is a range of practical steps Irish companies can undertake to ensure best practice compliance with the GDPR:

1. Provide data protection training for new staff, along with regular refresher training for existing teams. A company is only ever as compliant as its least-trained member of staff.
2. Ensure compliance and legal departments have sufficient resources and appropriate skillsets to operate effectively;
3. Keep updated on the latest guidance from the Data Protection Commission.
4. Closely monitor the progress of the proposed new Digital Omnibus package.
5. Keep data protection on the agenda for senior leadership, to ensure there is a visible and demonstrable focus on building a strong privacy culture throughout the organisation.
6. Undertake data protection impact assessments (DPIAs) for any projects that involve the processing of personal data, with a particular focus on AI tools, given the rapid adoption of that technology.
7. Keep a record of processing activity, undertake regular audits of personal data and ensure policies and procedures are updated to remain fit for purpose.