GDPR: Is your business compliant?

New data protection rules for the digital age

On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect, revolutionising the way that personal data is used and handled.

Representing the largest and most important change to data protection in 20 years, the new EU regulation has fundamentally altered the data landscape in Ireland.

Any organisation that breaches the rules of GDPR faces  financial sanctions, reputational damage and public scrutiny over data protection shortfalls.

There are challenges ahead for all business units from marketing, to sales, to IT. But there are also opportunities to change your approach to privacy, refresh your systems and ensure they are fit for today's digital economy.

Ensuring  GDPR compliance requires multi-disciplinary skill sets. Our experts can help with the challenges and opportunities ahead.

A close-up of man typing on a laptop near a window.

GDPR: The story so far

July 2009 European Commission (EC) launched a consultation regarding challenges for personal data protection, in light of new technologies and globalisation.
November 2010 EC issued a Communication to the European Parliament and the Council setting out its approach to revising the legal framework for protecting personal data.
March 2011 The Council of the European Union (CEU) published its conclusions on the Commission's approach.
January 2012 EC set out its proposals to reform data protection throughout Europe and publishes a draft revised Data Protection Regulation.
October to November 2012
European Parliament (EP) led an inter-parliamentary hearing with national parliaments.
Autumn 2013 Informal negotiations between EP and CEU as to the drafting of regulation. Separately the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted on a compromise text.
March 2014 EP held a plenary vote in first reading of the draft Regulation and adopted the LIBE compromise text.
May 2014 to June 2015 CEU reached agreement on the general approach of the draft Regulation.
June 2015 to December 2015 EC, EP and CEU met to agree the wording of the Regulation in a series of meetings known as trilogue negotiations.
December 2015 EC, EP and CEU agreed and finalised the wording of the Regulation.
16 May 2017 The Irish Department of Justice and Equality published the General Scheme of the Data Protection Bill 2017, which sets out to ensure Ireland's compliance with the GDPR.
25 May 2018 The Regulation applies to all EU Member States.

“While imposing higher data protection obligations on business, it should also result in benefits by increasing consumer trust and confidence in new technologies and business models which should in turn facilitate business in reaping the full potential of the digital economy.”

Frances Fitzgerald, Tánaiste of IrelandAnnounced upon the drafting of the Data Protection Bill

Key implications of GDPR for Irish business

Data protection by design

Controllers must implement appropriate technical and organisational measures and procedures to ensure that processing safeguards the rights of the data subject by design. There are a few key steps if a business did not want to embark on a full review and overhaul just yet: minimise data collected; do not retain that data beyond its original purpose; and, give the data subject access and ownership of that data

Right to be forgotten

This is really a right of consumers to erase their data. This is more far-reaching than a business might consider at first blush. A consumer or data subject can request to erase the data held by companies at any time and, if it has been passed on to any third parties (or third-party websites), they would have to erase it as well.

Be aware of breach penalties

For serious penalties, the GDPR allows for fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher), which would be a serious chunk of revenue of even the largest multinational.

Potential for brand damage

If a personal data breach is likely to cause a high risk to the rights and freedoms of the data subjects, personal data breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties.

So whether the data for 10 customers or 1,000,000 customers is lost, they would all have to be told. The potential for significant brand damage, litigation and media reporting of an incident is clear and could spell the end of a business overnight.

Data protection officer

Important projects need owners. Under the GDPR, a data protection officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches and even creating a good data security policy. Businesses will need someone to act as the focal point in ensuring compliance with the GDPR and businesses will need to appoint DPOs sooner rather than later.

GDPR: An opportunity for Ireland?

GDPR isn't just about meeting compliance standards. It’s an opportunity to make customers' and employees' data protection rights a key priority. Your organisation has an opportunity to demonstrate the adoption of the GDPR principles within its core values, placing the individual and their right to data protection as a key business objective.

GDPR also brings opportunities to Ireland for international businesses. There are significant efficiencies for multinational companies having their key data management functions located here. If a company makes its data strategy decisions in one EU member state, it is only obliged to report to that Data Protection Commissioner. In a post-Brexit world, it will be appealing to multinationals to negotiate with one Data Protection Commissioner in the only English speaking EU member state, rather than dealing with different jurisdictions with obvious language complexities.

How can you protect your GDPR compliance?

  1. Assess your current state
    Conduct a risk analysis and complete a comprehensive data mapping and discovery exercise. It's important to understand your current state of compliance and identify  any potential risk areas.
  2. Design your future state
    What does success look like, within the context of your own business objectives? Plan and agree your strategy to achieve this, and roll out your GDPR programme across the organisation as a whole.
  3. Operate and sustain your GDPR programme
    You have already met the initial GDPR deadline but this only one step in the GDPR journey. Through constant assessment and maintenance of your programme, you will identify opportunities to enhance the efficiency and effectiveness of your internal controls

Contact us

Pat Moran

Partner, PwC Ireland (Republic of)

Rodesh Govender

Manager, PwC Ireland (Republic of)

Follow PwC Ireland