GDPR: Is Irish business ready?

New data protection rules for the digital age

The General Data Protection Regulation (GDPR) is coming, and data protection is firmly at the forefront of the business agenda.   

Representing the largest and most important change to data protection in 20 years, the new EU regulation has significant implications for the data landscape in Ireland.

Irish businesses must be in full compliance by May 2018 – or face financial sanctions, potential reputational damage and public scrutiny over potential data protection short-falls.

There are challenges ahead for all business units from marketing, to sales, to IT. But there are also opportunities to change your approach to privacy, refresh your systems and ensure they are fit for today’s digital economy.

Getting GDPR-ready requires multi-disciplinary skill sets. Our experts can help with the challenges and opportunities ahead.

Countdown to the introduction of GDPR


GDPR: The story so far

July 2009 European Commission (“EC”) launched a consultation regarding challenges for personal data protection, in light of new technologies and globalisation.
November 2010 EC issued a Communication to the European Parliament and the Council setting out its approach to revising the legal framework for protecting personal data.
March 2011 The Council of the European Union (“CEU”) published its conclusions on the Commission’s approach.
January 2012 EC set out its proposals to reform data protection throughout Europe and publishes a draft revised Data Protection Regulation.
October to November 2012
European Parliament (“EP”) led an inter-parliamentary hearing with national parliaments.
Autumn 2013 Informal negotiations between EP and CEU as to the drafting of regulation. Separately the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on a compromise text.
March 2014 EP held a plenary vote in first reading of the draft Regulation and adopted the LIBE compromise text.
May 2014 to June 2015 CEU reached agreement on the general approach of the draft Regulation.
June 2015 to December 2015 EC, EP and CEU met to agree the wording of the Regulation in a series of meetings known as trilogue negotiations.
December 2015 EC, EP and CEU agreed and finalised the wording of the Regulation.
16 May 2017 The Irish Department of Justice and Equality published the General Scheme of the Data Protection Bill 2017, which sets out to ensure Ireland’s compliance with the GDPR.
25 May 2018 The Regulation applies to all EU Member States.

“While imposing higher data protection obligations on business, it should also result in benefits by increasing consumer trust and confidence in new technologies and business models which should in turn facilitate business in reaping the full potential of the digital economy.”

Frances Fitzgerald, Tánaiste of IrelandAnnounced upon the drafting of the Data Protection Bill

Key implications of GDPR for Irish business

Data protection by design

Controllers must implement appropriate technical and organisational measures and procedures to ensure that processing safeguards the rights of the data subject by design. There are a few key steps if a business did not want to embark on a full review and overhaul just yet: minimise data collected; do not retain that data beyond its original purpose; and, give the data subject access and ownership of that data

Right to be forgotten

This is really a right of consumers to erase their data. This is more far-reaching than a business might consider at first blush. A consumer or data subject can request to erase the data held by companies at any time and, if it has been passed on to any third parties (or third party websites), they would have to erase it as well.

Be aware of breach penalties

For serious penalties, the GDPR allows for fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher), which would be a serious chunk of revenue of even the largest multinational.

Potential for brand damage

If a personal data breach is likely to cause a high risk to the rights and freedoms of the data subjects, personal data breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties. So whether the data for 10 customers or 1,000,000 customers is lost, they would all have to be told. The potential for significant brand damage, litigation and media reporting of an incident is clear and could spell the end of a business overnight.

Data protection officer

Important projects need owners. Under the GDPR, a data protection officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches and even creating a good data security policy. Businesses will need someone to act as the focal point in ensuring compliance with the GDPR and businesses will need to appoint DPOs sooner rather than later.


GDPR: An opportunity for Ireland?

GDPR represents not just a journey for compliance but an opportunity to place customers’ and employees’ data protection rights as a key priority. Your organisation has an opportunity to demonstrate the adoption of the GDPR principles within its core values, placing the individual and their rights for data protection as a key business objective.

GDPR could also bring opportunities to Ireland for international businesses. There are significant efficiencies for multinational companies having their key data management functions located in Ireland. If a company makes its data strategy decisions in one EU member state, it is only obliged to report to that Data Protection Commissioner. In a post-Brexit world, it will be appealing to multinationals to negotiate with one Data Protection Commissioner in the only English speaking EU member state, rather than dealing with different jurisdictions with obvious language complexities.

 


What should you do to prepare for GDPR?

  1. Assess your current state:
    Conduct a risk analysis and complete a comprehensive data mapping and discovery exercise. Understand your current state of readiness, identify the gaps and define your GDPR roadmap.
  2. Design your future state:
    What does success look like, within the context of your own business objectives? Plan and agree your strategy to achieve this, and roll out your GDPR programme across the organisation as a whole.
  3. Operate and sustain your GDPR programme:
    Achieving the compliance requirements before the deadline is only part of the GDPR journey. Through constant assessment and maintenance of your programme, you will identify opportunities to enhance the efficiency and effectiveness of your internal controls.

 

Contact us

Pat Moran
Partner
Tel: +353 1 792 5308
Email

Rodesh Govender
Manager
Tel: +353 1 792 6841
Email

Follow PwC Ireland