Conference Chairperson & Opening Remarks

Kate Colleary, Director - Pembroke Privacy, Country Leader Ireland- IAPP

DSAR or Discovery in Disguise?

Speaker: Laura Fannin, Partner, Commercial & Business Team at Hayes Solicitors

• Circumstances under which a DSAR can be lawfully refused
• How to appropriately respond when declining a request
• Identifying ‘manifestly unfounded’ or ‘excessive’ requests
• Signs of bad faith or misuse of access rights
• Applying proportionality and reasonableness to scope
• Key exemptions under GDPR and Irish law
• Practical advice on applying exemptions and documenting rationale

AI Governance and the EU AI Act

Speaker: Liam McKenna, Partner, Forvis Mazars

• Overview of the EU AI Act: definitions, scope, and obligations
• Risk classification tiers: what they mean for data processing
• Transparency and record-keeping duties under the Act
• Role of the DPO in AI compliance: overlaps with GDPR responsibilities

Data Protection and AI – Legal and Operational Risks

Speaker: David O’ Sullivan, Director, Privacy and Data Protection Team, Forvis Mazars

• Is automated decision-making the same as AI? Clarifying scope
• Common uses of AI (e.g. recruitment, fraud detection, note-taking): when DPIAs are required
• Use of AI by processors (e.g. Microsoft Copilot, Google Gemini): who is accountable?
• Profiling obligations when using hashed or pseudonymised data
• Necessity for AI-specific data protection policies and documentation
• Joint assessments: Are combined DPIA/FRAIs valid?

Records of Processing Activities (RoPA) – Practical Compliance

• Common pitfalls in maintaining accurate RoPAs
• Making RoPAs useful for audits, breaches, and DPIAs
• Tools and software for automating RoPA maintenance
• Integrating RoPA with wider compliance documentation

Preparing for a DPC Audit or Inquiry

• What triggers an investigation and how to respond
• Key documentation to maintain and submit
• Managing regulator communications effectively
• Common findings and how to avoid them

Biometric, Facial Recognition, Surveillance Data

Speaker: Adam Finlay, Partner, McCann Fitzgerald

• Legal basis and consent challenges in using biometric and facial recognition data, especially in workplaces and public settings
• GDPR requirements for special category biometric data, including explicit consent and purpose limitation
• Use of CCTV and facial recognition technology (FRT): when DPIAs are mandatory and what safeguards are expected
• Impact of the EU AI Act on real-time surveillance and high-risk biometric systems
• Caselaw and regulatory enforcement trends on biometric surveillance and employee monitoring

Anonymisation and Re-Identification Risks

Speaker: Gillian Traynor, Director, Ambit Compliance

• When anonymised data may no longer be considered anonymous
• Pseudonymisation: benefits, limitations, and misconceptions
• Technical best practices for safeguarding data identities
• Case examples: re-identification incidents and regulator responses

Vendor Risk, Third-Party Processors & Supply Chain Data Compliance

Speaker: Zelda Deasy, Partner, Byrne Wallace Shields LLP

• Conducting effective due diligence on processors, sub-processors, and SaaS providers before onboarding
• Ensuring contracts (DPAs) meet Article 28 GDPR requirements, including audit rights and breach obligations
• Managing risks from AI-enabled tools and cloud-based processors (e.g. Microsoft Copilot, Google Workspace)
• Monitoring ongoing compliance through audits, questionnaires, and RoPA updates
• Real-world examples of supply chain failures and enforcement outcomes