Out-Law News 2 min. read
01 Mar 2018, 12:44 pm
Dublin-based Dermot McGirr of Pinsent Masons, the law firm behind Out-Law.com, said that there is still time for businesses to ensure that they will be compliant with the General Data Protection Regulation (GDPR) before the new rules begin to apply on 25 May.
McGirr was commenting after a recent survey of 350 Irish businesses found that less than half – just 48% – believe they are prepared for the GDPR.
Some of the main findings of the survey were reported by the Irish Tech News website.
"A point for Irish businesses to note is that the GDPR deadline on 25 May 2018 is the end point of a two year implementation period," McGirr said. "From 25 May onwards GDPR will be a binding legal requirement which contains sanctions and fines for entities found to be in breach of it."
McGirr said businesses risk fines of up to €10 million or 2% annual global turnover, whichever is higher, or up to €20 million or 4% annual global turnover, whichever is higher, depending on the offence, if they breach the GDPR. Irish businesses therefore need to ensure compliance by the deadline, he said.
"To achieve this, businesses need to first understand the flows of personal data through their organisation," McGirr said. "Only once this 'personal data audit' has been completed will they be in a position to understand what compliance steps they need take before the 25 May deadline. For the vast majority of Irish businesses there is no reason that this process cannot be completed in time, provided they act now."
"I have been working closely with business of all sizes on GDPR compliance and understand that a 'one size fits all' approach is not the correct approach to take. A pragmatic solution which is tailored to a business’s sector and its specific exposure to GDPR risk is what, in my experience, works best," he said.
The survey found that more than three quarters of Irish businesses believe cyber attacks are a major threat to their operations, according to the Irish Tech News report. The report said that 29% of businesses had admitted to experiencing a cyber attack in 2017 and that half of the 350 respondents anticipate experiencing such an attack during 2018.
The heightened cyber risk was confirmed in the Irish data commissioner's latest annual report (76-page / 1.72MB PDF), published on Tuesday.
According to the report, there were 2,795 "valid data security breaches" reported to the data protection commissioner in 2017, a 26% increase in the number recorded in 2016.
The data protection commissioner also received 2,642 data protection complaints in 2017, up 79% from the 1,479 it received the year previously. The watchdog said more than half of the total complaints made, 52%, concerned the way in which organisations addressed data subjects' right to access their own data.
Helen Dixon, the data protection commissioner in Ireland, said: "The GDPR’s focus is on demanding accountability from organisations in how they collect and process personal data. The best results for data subjects are secured when organisations of all types deliver on their obligations to be fair and transparent."
"We firmly believe that organisations should see the GDPR as an opportunity rather than a challenge and that those who can demonstrate a true commitment to data protection will be rewarded in the marketplace for their services," she said.
A new Data Protection Bill has been introduced before the parliament in Ireland. The Bill contains provisions which, if enacted, would supplement the GDPR.
