June 2026 Article 27 GDPR applies to far more US life sciences companies than many realise Intro The extraterritorial reach of the General Data Protection Regulation (GDPR) is well known, yet many US pharma and biotech companies are surprised to learn that it applies to them, and even more surprised to learn about Article 27. If your organisation has no establishment in the EU but engages with EU based consumers, patients or trial participants, you are likely required to a

5 June 2026 Intro Human oversight sits at the centre of the EU AI Act’s governance framework for high-risk AI systems. Article 14 establishes a mandatory safeguard designed to ensure that AI systems remain subject to meaningful human control where their use may significantly affect health, safety, or fundamental rights. Far from a symbolic compliance exercise, the obligation reflects the EU legislature’s broader objective of preserving human agency and accountability in incre

In the early hours of the 7 May, EU negotiators reached provisional political agreement on amendments to the EU AI Act as part of the Digital Omnibus simplification package. The agreement, reached between the Council of the European Union and the European Parliament, represents a significant step toward simplifying and streamlining the implementation of the EU’s AI regulatory framework. Key Developments: 📅 More time for high-risk AI systems A central outcome of the AI Omnibu

May 2026 Intro The extraterritorial reach of the General Data Protection Regulation (GDPR) continues to capture organisations operating outside the European Union. While many recognise that the GDPR may apply to their activities, a critical obligation is often overlooked: the requirement to appoint an EU Data Representative under Article 27. This provision ensures that EU regulators and individuals have an accessible point of contact, reinforcing the GDPR’s core principles o

20 April 2026 Our founder and director was pleased to chair the Law Society of Ireland Intellectual Property & Data Protection Law Committee Conference on Monday, 20 April, bringing together leading legal and regulatory voices to examine the impact of AI on data protection compliance. The conference explored the evolving interaction between the General Data Protection Regulation (GDPR), the EU Artificial Intelligence Act, the EU Digital Omnibus and national developments. Part

April 2026 Intro: AI hallucinations continue to make the headlines. While AI hallucinations may just cause some minor embarrassment in the workplace, possibly get you in trouble in court, it can, as we have seen in the case of the senior journalist Peter Vandermeersch, lead to suspension from a high-profile role. GenAI can be so convincing, it can lead to unfortunate outcomes. While we all learn to navigate AI, it's a cautionary tale not to become complacent. While man

20 March 2026 Intro Under Article 17 GDPR, individuals have the right to request erasure of their data (right to be forgotten). This right is not absolute, for example the data controller needs to retain the data to comply with a legal obligation or the data controller requires the data for the purpose of a legal claim. The European Data Protection Board (EDPB) selected the topic ‘Implementation of the right to erasure by controllers’ for its 2025 Coordinated Enforcement Act

'Artificial Intelligence integration into Legal Practices' 23 February 2026 It was a real delight for our founder and director to participate in the 25th UCC Annual Law Society Conference. With the topic: AI integration into Legal Practices: Strategic Transformation of Legal Operations, Improved Efficiency and Enhanced Decision-Making, there was a lot to cover. While the surrounds were beautiful, the discussions were varied, relevant and leading to lots more discussions and q

25 February 2026 EDPB’s 2026 enforcement focus means it’s time to revisit your privacy notices—AI use included Intro In October 2025, the European Data Protection Board (EDPB) announced that transparency and information obligations under Articles 12–14 GDPR will be the focus of its 2026 Coordinated Enforcement Action (CEA). This means Data Protection Authorities (DPAs) across Europe will be examining how well organisations explain their processing activities to individuals. W

Art 27 GDPR, EU Data Rep, GDPR enforcemen

Data Protection and AI 9 January 2026 What a great start to the New Year. I really enjoyed participating in the panel session on Data Protection and AI at the Law Society's Future of Legal Practice Summit. 2026 did not wait long for AI, data protection, human rights and the impact of AI tools to be front and centre. Decisions made this year in terms of legislation and regulatory frameworks will impact society for years to come. It is time to get it right. For any queries o

5 Jan 2026 As I start year two of my membership on the IAPP Training Advisory Board AI Governance, it is great to see the impact of my contribution in a fast evolving and complex area, which will no doubt continue at speed this year.

4 December 2025 What a lovely venue for the Law Society Skillnet Practice and Regulation Symposium. Delighted to be speaking on data protection updates and the expected rollercoaster that 2026 will bring

9 November 2025 Managing data breaches in the ‘silly season’ Halloween has passed and the countdown to Christmas has begun, with only 6 full working weeks remaining before many people turn off their laptops. This period before Christmas holidays can be intense. There is pressure to deliver projects and close out work before logging off, including social occasions, children’s concerts and prep for the big day. The frantic pace leads to rushed decision-making, multitasking to

2 October 2025 While many of us were enjoying summer holidays, a short but mighty Statutory Instrument (SI) was introduced. To give it its full title: S.I. No. 366 of 2025 European Union (Artificial Intelligence) (Designation) Regulations 2025 (SI). This SI designates the Data Protection Commission (DPC) as the market surveillance authority for the purposes of Article 74 (8) EU AI Act. This designation as per Article 74 (8) is for high-risk AI systems in point 1 of Annex III

2 October 2025 Yet another reminder from a supervisory authority of the importance of vendor due diligence. The Polish Supervisory Authority has fined both the data controller McDonald's and its processor 24/7 Communication for multiple GDPR infringements arising from a data breach of employee data. Of particular note: Obligations from legislation cannot be excluded by the Data Processing Agreement (DPA) The controller did not exercise proper supervision over the personal dat

16 September 2025 Today, the Department of Enterprise, Trade and Employment a nnounced in its own words ‘ Landmark Progress in AI Act...

11 September 2025 Noteworthy decision from the Greek Supervisory authority who fined both the data controller and data processor arising from the same incident. The controller was found to have infringed its obligations to select a suitable data processor and supervise them effectively. This case highlights the need for a robust vendor managements programme from onboarding assessments to contracts and DPAs and ongoing due diligence. See EDPB for further details: https://www.e

10 September 2025 How to improve the DPA process Introduction While we are 7 years into DPAs being a requirement for both processors and controllers under the EU General Data Protection Regulation (GDPR), they are still causing bottlenecks and can impact the overall execution of master services agreements or contracts if not managed appropriately. This article seeks to look at some of the bottlenecks and how to overcome them. Article 28 GDPR As per Article 28 of the GDPR (Art

2 August 2025 Summertime milestone leaves no time for novels by the beach Intro 2 August (while Irish people enjoy the August bank...