Half of Irish businesses unprepared for GDPR
24 January 2018 | 0
More than half of Irish businesses are unprepared for the General Data Protection Regulation (GDPR), with deadline looming some four months away.
According to a survey from professional services firm EY, 54% of businesses surveyed do not know if the consent they hold to use consumers’ personal data is compliant with GDPR, or if a process of re-consent is required.
Some 40% of businesses expressed an intent to hire a data protection officer, but had not yet done so. According to EY, this suggests a shortage of talent in the market, which may cause a rush to make appointments, either of DPOs or service providers who offer the service closer to the compliance deadline.
Furthermore, half of businesses surveyed have not yet reviewed third-party contracts to ensure they are compliant with the regulations.
“GDPR is all about people’s right to control and understand what happens to their personal data,” said Carol Murphy, director, Advisory, EY Ireland. “Despite how close we are to the enforcement date for GDPR and the focus that has been on that date in the last couple of years, we are still seeing a large number of companies who haven’t made a huge amount of progress on compliance with the regulation.”
“In the time between now and 25 May, our advice would be that companies need to take this seriously, given the fines that could be imposed. If it isn’t possible for an organisation to comply fully with the regulation, it is important that they are at the very least able to demonstrate that they have developed a plan to reach compliance and they have taken steps towards achieving that. The first steps will be to identify what personal data is being held, how and why it was obtained, how long it has been kept and whether it is being stored, processed and transferred securely,” said Murphy.
Under the regulation, organisations are required to document records of data processing, yet the survey found that 16% of companies have not started this process. It has been anticipated that the office of the data protection commissioner may well use a request for documentation as a first step in assessing compliance. Failure to produce on request, or inadequacies in same, may lead to an audit.
“GDPR carries stiff financial penalties for non-compliance, up to 4% of turnover or €20m – whichever is greater. With the greater sensitivity around privacy that has emerged in recent years, the reputational issues that accompany any breaches of GDPR have also become a serious risk. Of the companies surveyed, half have not yet undertaken a review of their third-party contracts. This leaves companies exposed should they experience a breach within their supply chain, even if it is outside the organisation given that the regulation places equal accountability requirements on both data controllers and processors,” said Murphy.