Irish businesses confident in GDPR compliance
Third annual GDPR report from Mazars and McCann FitzGerald finds confidence and challenge with privacy regulation
26 November 2018 | 0
A third annual report on awareness and understanding among Irish businesses of the General Data Protection Regulation (GDPR), but the first since the May 2018 deadline, has found that confidence among Irish businesses is high.
The report from Mazars and McCann FitzGerald found the vast majority of Irish businesses (88%) were confident in their interpretation of GDPR obligations, with a similar proportion (84%) satisfied they are materially compliant with GDPR.
However, more than two thirds (68%) admitted to founding it challenging to put the necessary compliance structures in place, though there was also a shared belief the introduction of GDPR has been a positive development for society, with a strong 82% agreeing or strongly agreeing with the sentiment.
‘Air of confidence’
“An interesting aspect of the research,” said Paul Lavery, partner and head of Technology and Innovation, McCann FitzGerald, “is the air of confidence among organisations of their understanding of GDPR. Nobody said the road to GDPR compliance would be easy, but most organisations have found it to be a worthwhile, albeit, at times painful, exercise in terms of information governance, something they may not have done otherwise.
“There are requirements that are continuing to be challenging to address and there is an awareness of areas where they are at risk of non-compliance. However, overall organisations are cautiously optimistic. This optimism is likely to be tested in the coming months as enforcement actions and data subject activism start to kick in,” said Lavery.
Agreeing with Lavery’s assessment, Liam McKenna, partner, Mazars, said the research shows positive action across the business community, as evidenced by the appointment of Data Protection Officers, the investment of financial resources and the active reporting of data breaches.
“However,” said McKenna, “it is clear that embedding compliance into business as usual functions, in order to demonstrate accountability, is proving challenging. Although a baseline level of compliance has been achieved, organisations are continuing to develop so as to manage data protection risks. It is crucial that businesses are in a position to meet their growing needs and adapt to changes in the external environment that will impact their business, for example the ongoing emergence of new technologies and Brexit”.
Delving into the areas where business experienced challenges, a third said the creation and maintenance of records of processing activities was their greatest challenge, followed by the documenting and evidencing of compliance (21%) and addressing security obligations (15%).
The report found that organisations are not relying on just one legal base for the processing of their data; a combination of contracts, legitimate interest and compliance with legal obligation were reported as being relied upon as legal basis for processing by just over half of respondents. Consent is slightly less widely used and more than half (54%) of respondents said that they found meeting the requirements in relation to consent to be challenging or extremely challenging.
More than half (56%) of businesses reported an increase in data subject requests since the introduction of the regulations, indicating greater awareness among the public, and a willingness to exercise their rights.
More than two thirds (68%) of respondents have appointed a Data Protection Officer (DPO) and of those organisations, more than half (52%) insourced the appointment, with just 16% outsourcing. It is worth noting that for many of the polled organisations the appointment was mandatory. A third (34%) of organisations who appointed a DPO said they found it was not at all difficult to source and appoint one, but almost the same proportion (32%) reported finding it very difficult. Another positive trend was for the seniority of the role with almost two thirds (62%) of organisations reporting their DPO will report to the C-suite, including the CEO.
Preparations and compliance efforts have been costly, according to respondents, with 61% of businesses admitting costs were either a little or a lot more than expected. Almost the same (58%) number calculated that internal and external GDPR-related costs to date such as IT, audit, legal and training, were between €50,000 and €250,000.
Looking to the future, the majority (84%) of businesses said that they had either implemented or intended to implement IT solutions to support delivering and demonstrating their compliance with GDPR. Of that proportion, (30%) expected to invest between €50,000 and €250,000 in implementing these IT solutions.
When asked about future plans for GDPR in light of Brexit, businesses said they are adopting a wait and see approach, with half saying that they are waiting for further developments before they make a post-Brexit plan.