Data Protection for Boards: Key Trends in 2026

Data protection warrants continued prioritisation from boards and directors in 2026. Consumer awareness and expectations remain high. A recent public attitudes survey by the Data Protection Commission indicated two-thirds of respondents would lose trust in an organisation if it misused personal data. A recent report from AON identified cyberattacks and data breaches as the number one risk for Irish businesses. Non-compliance with the GDPR, meanwhile, can result in very high penalties, such as the Commission’s €530 million fine of TikTok in May of last year. 

The data privacy landscape has changed significantly in the five years since my previous book was published. New case law, a better understanding of the priorities of supervisory authorities, and a range of guidance and guidelines have helped provide more clarity to Irish businesses. At the same time, a suite of adjacent EU legislation has created substantial resource and skillset challenges, whilst the rapid adoption of new AI technologies poses particular data privacy risks. 

In this short article, I look at some of the key trends leaders must take account of in 2026; topics that I expand upon in detail in my new book, Data Protection for Business: Compliance, Governance, Reputation and Trust, which is due for publication with Clarus Press in February.

Artificial Intelligence

Companies of all sizes are exploring ways to increase productivity and efficiency through the use of AI technologies. Many of these systems process personal data, and as such fall under the scope of the GDPR. AI is complex and often opaque. It thus presents particular data privacy challenges. For example, in meeting the GDPR’s requirement for transparency and accuracy. There is also the potential for automated decision-making without a human in the loop, something to which individuals can object under article 22 of the GDPR. 

Companies considering the introduction of new AI technologies must keep data protection in mind throughout the project, adhering to the principle of data protection by design and default. The use of tools such as a Data Protection Impact Assessment can identify potential privacy risks at an early stage, reducing the likelihood of costly delays at a later stage as a project has to be redeveloped or paused due to GDPR concerns. 

Adjacent Legislation

Dealing with a complex range of adjacent legislation is one of the biggest challenges for companies’ compliance and data protection teams in 2026. Driven by the EU’s Digital Decade initiative, new laws have been introduced in areas such as Artificial Intelligence, Data Governance, Digital Operational Resilience, and Cybersecurity, amongst others. At the same time, legislation such as the proposed ePrivacy Regulation has been paused. 

Boards must consider the existing skillsets of their legal, data privacy and compliance teams. Adequate resources are required to avoid burnout. This is a concern across all sizes of organization but is particularly burdensome for small and medium sized businesses without access to extensive in-house resources. Firms trading outside the EU/EEA must also contend with any new or existing privacy laws in those countries.

Digital Omnibus

Globally, approaches are diverging. The Trump Administration and, to a lesser extent, the UK government have introduced initiatives to lighten the regulatory load on companies. Prompted by the need to maintain competitiveness, the EU undertook its own review in 2024, headed by Mario Draghi. The subsequent Draghi Report identified significant barriers to promoting innovation and a strong start-up culture, particularly in growth areas such as artificial intelligence. The EU’s response is a proposed Digital Omnibus. This is a suite of measures aimed at reducing the regulatory burden on small and mid-sized firms in the European Union, including aspects of the GDPR and the AI Act. A final version is unlikely before late 2026 or early 2027 and may be subject to substantial further amendments. This split between regulation-heavy and regulation-light approaches will be challenging for organisations with an international footprint. 
Renewal of UK Adequacy Decision

On 19th December 2025, the European Commission renewed its adequacy decision for the United Kingdom for a period of six years, up to 27th December 2031. This means the Commission views the UK as having a data protection regime that is essentially equivalent to that provided within the EU. It is good news for firms trading into the jurisdiction as it avoids the requirement for additional data transfer mechanisms such as Standard Contractual Clauses (SCCs). The UK Government’s Data (Access and Use) Act 2025 initiated relatively minor data protection changes; firms should continue to keep a weather eye on developments this year.

Conclusion

The processing of personal data is a key component of the modern digital economy, a process accelerated by new AI technologies. Boards should set aside sufficient time to ensure there are clear structures in place, with sufficient resourcing, to deal effectively with data protection compliance requirements. Leaders need to balance conformance with performance, identifying and leveraging the benefits of new AI technologies, whilst ensuring compliance with GDPR and a host of adjacent legislation. Those organisations with a clear strategy, aligned with risk appetite and effective resourcing will be well placed to thrive. Alongside this, firms will need to demonstrate agility in adapting to ongoing change in the global regulatory environment.

This article is the view of the author(s) and does not necessarily reflect IoD Ireland’s policy or position.

About the Author

Steven Roberts CDir is Group Head of Marketing at Griffith College and Vice Chair of the Compliance Institute’s Data Protection and Information Security Working Group. He is a Chartered Director, Certified Data Protection Officer and a fellow of the Chartered Institute of Marketing.

His new book, Data Protection for Business: Compliance, Governance, Reputation and Trust will be published in February by Clarus Press. Readers who wish to purchase a copy of can avail of a discount on the Clarus Press website by using the code Datapro26.