GDPR, Data Sharing and AI Compliance

Cover Image for GDPR, Data Sharing and AI Compliance

| Courtney Price

In his recent webinar, Data Sharing Agreements, Data Subject Access Requests and the GDPR, Mark D. Finan explained that recent court decisions and new AI obligations are changing how organisations should approach data protection, data sharing and compliance. Here are the practical issues accountants should be discussing with clients.

Data protection continues to evolve through both legislation and the courts. Recent Irish judgments have clarified how GDPR compensation claims are assessed, while the EU AI Act introduces new obligations that extend far beyond technology companies.

For accountants and advisers, these developments create both compliance challenges and opportunities to support clients with practical governance advice.

1. GDPR compensation claims are becoming clearer

One of the most significant recent developments is the Irish Supreme Court's decision in Dillon v Irish Life Assurance plc. The judgment provides greater clarity on claims involving non-material damage following a GDPR breach.

A key distinction is now drawn between temporary distress or embarrassment and recognised psychiatric injury.

For organisations, this means that:

  • a data breach does not automatically result in substantial compensation;
  • claimants must still demonstrate that they suffered damage linked to the breach; and
  • evidence remains central to any compensation claim.

The judgment also confirms that data protection claims represent a standalone legal cause of action under the Data Protection Act 2018.

For advisers reviewing organisational risk, this provides a clearer framework for assessing potential exposure following a data breach.

2. Responding properly to a data breach still matters

Although recent case law narrows some compensation claims, organisations should not become complacent.

When a breach occurs, practical response remains critical.

The presentation highlighted several important steps:

  • acknowledge the breach promptly where one has occurred;
  • notify affected data subjects where required under GDPR;
  • explain the actions taken to contain the breach;
  • demonstrate how similar incidents will be prevented in future; and
  • maintain clear records of the response.

A transparent and timely response may significantly reduce both legal and reputational risk.

3. Evidence is increasingly important

Recent Circuit Court decisions also reinforce that inconvenience or embarrassment alone will not necessarily justify compensation.

Where claimants cannot demonstrate measurable impact, courts may decline to award damages despite accepting that a breach occurred.

For organisations, this underlines the importance of:

  • maintaining accurate breach records;
  • documenting investigation steps;
  • recording remedial actions; and
  • preserving evidence showing how risks were addressed.

Good documentation supports both regulatory compliance and legal defence.

4. Review data sharing arrangements carefully

Many organisations routinely share information across related companies, group structures or external advisers.

However, being part of the same corporate group does not automatically permit unrestricted data sharing.

The session highlighted several situations where organisations should review their arrangements carefully, including:

  • group companies sharing customer information;
  • mergers and acquisitions;
  • due diligence exercises;
  • professional advisers accessing client information; and
  • disclosure of documents during litigation.

Where third parties process personal data, organisations should ensure appropriate contractual arrangements are in place and that the processing remains consistent with the original lawful basis.

For accountants carrying out audit or advisory work, engagement terms should clearly define access to relevant information.

5. Data Subject Access Requests require structured procedures

The webinar also examined recent European case law concerning Data Subject Access Requests (DSARs).

The Court of Justice of the European Union has clarified that organisations may, in limited circumstances, refuse requests that constitute an abuse of process.

That does not reduce the importance of handling requests properly.

Organisations should maintain documented procedures covering:

  • receipt of requests;
  • assessment;
  • decision-making;
  • response times; and
  • reasons where a request is refused.

Consistent procedures reduce both operational risk and regulatory exposure.

6. The EU AI Act affects more organisations than many realise

Artificial intelligence is now becoming a mainstream governance issue rather than simply a technology issue.

The presentation emphasised that the EU AI Act applies across sectors, including charities, SMEs and professional firms.

Several practical obligations deserve immediate attention.

Know where AI is being used

Many organisations already use AI without formal oversight.

Employees may rely on publicly available AI tools to draft emails, summarise documents or analyse information.

Boards and management should understand:

  • which AI systems are being used;
  • who is using them;
  • what information is being entered; and
  • whether personal or commercially sensitive data is involved.

Creating an AI inventory is a practical first step.

Introduce an AI policy

Every organisation should have a documented position on AI use.

Whether AI is encouraged, restricted or prohibited, employees should understand the organisation's expectations.

Without clear governance, organisations risk inconsistent practices across departments.

Be transparent

The EU AI Act introduces transparency obligations in many situations.

Where people interact directly with AI systems, organisations may need to make this clear.

Transparency should become part of wider governance rather than an afterthought.

Provide appropriate training

If AI forms part of day-to-day operations, organisations should consider how employees receive appropriate guidance on its responsible use.

Training should reflect the systems actually being used within the organisation and support appropriate human oversight.

Practical opportunities for accountants

Many of these developments create additional advisory opportunities.

Clients increasingly need practical assistance with:

  • reviewing GDPR compliance;
  • assessing data sharing arrangements;
  • documenting AI use;
  • developing AI governance policies;
  • updating risk registers; and
  • strengthening internal compliance procedures.

Rather than treating GDPR and AI as isolated legal issues, firms can help clients integrate them into broader governance and risk management frameworks.

Recent legal developments provide greater certainty in several areas of data protection law, while the EU AI Act introduces a new layer of governance for organisations of every size.

For accountants, the focus should remain practical. Strong documentation, transparent processes and proportionate governance will place clients in a stronger position when regulatory or legal issues arise.

As AI adoption accelerates, helping clients understand where these obligations intersect with existing GDPR responsibilities is likely to become an increasingly valuable advisory service.

The contents of this article are meant as a guide only and are not a substitute for professional advice. The authors accept no responsibility for any action taken, or refrained from, as a result of the material contained in this document. Specific advice should be obtained before acting or refraining from acting, in connection with the matters dealt with in this article.

Image of Courtney Price

About the Author

Courtney Price is a content creator for CPDStore. Courtney joined us during the COVID-19 pandemic and has been involved in the ever-evolving world of accounting ever since. Her passion for reading and writing, coupled with her degree in copywriting from Vega School has allowed her to channel her creativity and expertise into crafting engaging and informative content.