What really happens when a regulator investigates your organization? And more importantly, what can you do to stay off their radar while building a sustainable privacy program? In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan welcome Helen Dixon, Ireland's former Data Protection Commissioner, for a candid conversation about privacy compliance from the regulator's perspective. With over ten years leading one of Europe's most influential data protection authorities—overseeing landmark cases including Schrems litigation and levying over €3 billion in GDPR fines against tech giants—Helen brings unparalleled insights into what regulators actually look for in privacy programs.

What You'll Learn: 

Helen Dixon most recently served as Ireland's Commissioner for Communications Regulation. Prior to that, she was the Irish Data Protection Commissioner for ten years, overseeing several landmark cases including the high-profile Schrems litigation and rulings against prominent companies such as Meta, and investigations into Twitter, TikTok, Apple, and others. Her office levied over €3 billion worth of fines for GDPR violations and, in some cases more critically, imposed important corrective actions against some of the world's largest tech companies. Helen's tenure spanned many eras in data protection, from leading a small, remote DPC through the waves of GDPR implementation to ultimately building a powerhouse office of several hundred staff. She has been called "the world's first global privacy regulator" and "a paragon of judicious, balanced, disciplined, and principled enforcement and regulation." She is currently in a listening and learning phase, having joined the board of an environmental organization focused on circular economy and packaging waste, while preparing to return to data protection and digital regulation work.

If you enjoyed this episode, make sure to subscribe, rate, and review it.

Helen emphasizes that for SMEs in particular, applying fairness and common sense can prevent many compliance problems from escalating. While this sounds simple, it's remarkably powerful in practice. She observed repeatedly as a regulator how organizations made situations exponentially worse by trying to restrict information, delay responses, or refuse to accept their obligations under the GDPR. When faced with a data subject request or complaint, the instinct to be defensive or minimize disclosure often backfires spectacularly. Instead, approaching situations with genuine fairness—asking "what's the right thing to do here for this person?"—and common sense problem-solving frequently resolves issues before they become formal complaints or investigations. This doesn't mean organizations should ignore legitimate exemptions or protections, but rather that the starting point should be cooperation and good faith rather than adversarial positioning. Privacy professionals should advocate internally for this approach, helping business stakeholders understand that fairness and transparency typically cost less and create better outcomes than defensive strategies. This principle applies across GDPR compliance—from how you handle access requests to how you design data collection practices to how you respond to regulator inquiries.

When asked how she would prioritize a hypothetical €100K privacy budget for a 100-employee company, Helen provides a comprehensive roadmap that reveals regulatory thinking about what actually matters. First, bring in a third party to conduct a gap analysis and potentially refresh any areas that may need to be updated. Start with fundamental questions about what business you're actually in, what data supports that business, what categories of personal data you hold, whether legacy data can be disposed of, how data is secured and stored, and what jurisdictional issues arise. This foundational data mapping and inventory work is non-negotiable and cannot be skipped. Second, conduct a thorough risk assessment informed by recent case studies and case law—identifying particular exposure areas like website cookies (given French authority enforcement trends), data transfers and associated documentation, or specific high-risk processing activities. Third, review all documentation including internal policies, procedures, and templates that staff routinely use (especially for acknowledging and responding to data subject rights), plus public-facing privacy policies and notices. Fourth, address "peripheral" issues that seem trivial but trip organizations up—like event photography, delegate lists, and physical security measures. Finally, if budget remains, invest in refreshed staff training that goes beyond compliance boxes to help people understand the purpose and value of the GDPR, perhaps bringing in external speakers to enliven the topic. For organizations with limited budgets, Helen's framework provides a prioritization methodology: data mapping and risk assessment first, then documentation, then training and culture.

Helen offers invaluable advice on handling data subject access requests (DSARs) that reveals how regulators assess organizational behavior. First and most importantly: don't approach access requests with excessive emotion or spend energy speculating about the requester's "real" motivations, even when you know it stems from a  grievance. Accept that individuals have rights under the GDPR regardless of their reasons. Second, don't be afraid to engage directly with data subjects—in fact, Helen actively encourages it. While the request may come in writing, making contact to understand what they're actually looking for can dramatically limit the scope of work and satisfy their needs more effectively. If you assume reasonableness on the part of the requester (which is often justified), they frequently have a specific thing they're seeking for a specific purpose, and understanding that context allows you to provide responsive information without unnecessary over-disclosure. Third, for extensive requests where searches will be proportionally burdensome, engagement is essential for communicating timelines, processes, and the scope of proportionate searches. Fourth, communicate clearly about what you're doing and involve the data subject in understanding how you'll fulfill the request. Helen acknowledges these situations are "incredibly difficult" because they often arise in contested circumstances, but looking at case studies helps organizations learn what makes situations easier versus harder. The overarching principle: bringing interactions back to a human level, assuming good faith, and avoiding cynical or suspicious approaches serves everyone better and often prevents escalation to formal complaints.

In one of the episode's most revealing moments, Helen candidly explains the gap between what the GDPR technically requires and how regulatory enforcement actually works in practice. The GDPR doesn't explicitly set out prioritization methods—it theoretically requires DPAs to investigate every complaint from over 400 million EU persons, doesn't prioritize by organization type or size (beyond its general risk-based approach), and suggests imposing corrective measures and considering fines in every case of infringement. But in reality, this approach would be completely unworkable, tying up all regulatory resources in court cases and administration without achieving meaningful behavior change. So what actually happens? Helen explains that "in practice, how compliant and cooperative and course-correcting an organization is as you're dealing with them does count." For one-off complaints from organizations that haven't previously come to regulatory attention, if you can see they made an honest mistake, did the analysis but took the wrong fork in the road, or are genuinely trying to comply, regulators will often simply get satisfaction for the data subject and move on to focus on bigger systemic risks, repeat offenders, or situations where organizations clearly should have known better and failed to implement appropriate safeguards. This doesn't mean organizations should document known compliance gaps carelessly, but it does mean that demonstrating good faith, cooperation, and willingness to course-correct matters significantly—even though the GDPR doesn't explicitly provide for this distinction. Privacy professionals should understand this reality when advising on regulatory strategy and engagement approaches.