There is probably a book yet to be written on the interplay between the General Data Protection Regulation and Brexit, but some elements can be seen now.
Unusually, the GDPR permits the introduction of some national legislation on data protection issues. They include occasions where a legal obligation mandates the processing of personal data, or the processing relates to a public interest task, or the processing is carried out by a body with official authority. There are others.
As a presumption, we believe that Brexit will not happen outside the provisions of Article 50 TEU and therefore will not happen before 25th May 2018.
If the UK makes legislative provision within the scope of the GDPR it will be incumbent on the UK to include those provisions in the Brexit negotiations and receive EU assent to their recognition, otherwise the UK derogations will fail as law (from the point of view of the EU) on the happening of Brexit.
For Irish organisations one important issue would be the receipt of consent to data processing in relation to children. The GDPR sets the age for “children” and the requirement that consent be given by parents, to be up to 16 years of age. This can be subject to national derogation and reduced to 13 years of age. If the UK derogates on the point and fails to get agreement in Brexit negotiations, Irish organisations must immediately apply the provisions of the GDPR in full.
Put another way, it would be wiser, as a commercial matter, not to give recognition to any UK legislative derogations until the full conclusion of the Brexit negotiations.
Putting it in yet another way, pending the successful (with agreement) conclusion of the Brexit negotiations, Irish organisations should not accept, in relation to data processing of personal data, the inclusion of jurisdictional law clauses in such contracts, where the stipulated legal jurisdiction is the UK.