18 October 2016

Irish firms are not prepared for changes to European Data Protection law, according to survey carried out by McCann FitzGerald and Mazars

The EU’s new data protection laws will come into force in just over 19 months but many Irish firms have not begun preparing for the change, a joint survey carried out by law firm McCann FitzGerald and professional services firm Mazars suggests.

The survey explored the readiness of Irish business for the implementation of General Data Protection Regulation (GDPR) in May 2018, as well as gauging the estimated difficulty for businesses of complying with the new requirements.

Click here to view survey findings.

The GDPR provides for heavy penalties for companies that are in breach of the regulation and includes fines of up to 4% of global turnover or €20 million (whichever is greater) in the case of a breach.

According to the survey, many businesses have not yet addressed some of the key requirements of the GDPR. While 82%. of organisations think that meeting the challenges of GDPR will be challenging to extremely challenging, only 16% of organisations have actually mobilised a project to meet those compliance requirements. 43% envisage that creating and maintaining an inventory of personal data will be the most challenging requirement to address.

The GDPR provides for a more explicit ‘right to be forgotten’ than currently exists under European data protection law. 55% expect implementing the‘right to be forgotten’ will be very or extremely challenging.

Under the GDPR there will be an obligation on certain categories of data controllers and data processers to appoint a Data Protection Officer (DPO) in order to monitor compliancewith the GDPR. According to the survey, 30% of organisations do not have a Data Protection Officer (“DPO”), a requirement under the new regulation. Of those organisations that have a DPO, 29% believe that the role isn’t sufficiently senior and independent to meet the GDPR requirements.

In addition, 44% expect that complying with the obligation to notify the Data Protection Commissioner of a security breach within 72 hours will be very or extremely challenging. On a more positive note,78% of organisations surveyed will have executive or CEO level sponsorship of compliance programmes to meet the requirements.

Commenting on the research, Paul Lavery, Partner and Head of Technology & Innovation, McCann FitzGerald, said: “In a globalised world, data is the new currency of business. Managing that data in compliance with the GDPR will pose significant and wide-ranging challenges for Irish businesses but could also create interesting opportunities. There are some key steps that organisations should take to prepare, not least ensuring senior level awareness and buy-in to preparing for its application.”

Liam McKenna Partner - Consulting Services, Mazars, added: “Our message is simple. If they haven’t already started, organisations should begin now to review their internal procedures and controls in light of the impending changes under the GDPR, and consider what amendments to such procedures will be required, and what other measures should be taken, to ensure that they are GDPR ready. The penalties could be severe for those who do not comply.”