EU GDPR: How to Prepare

4694_dataprotectionnew_main

With the General Data Protection Regulation coming into effect in May next year, experts offer guidance to businesses on how to deal with the EU’s overhaul of data protection laws.

The government has described the Data Protection Bill – which will give effect to the EU’s General Data Protection Regulation (GDPR) – as ‘priority legislation for publication’, although it’s not yet clear when it will complete its passage through parliament.

Businesses may also have work to do. In May, a study for the data protection commissioner conducted by Amárach Research found that 26% of businesses did not know when they expected to begin their GDPR implementation plan, while 70% of respondents were unaware the regulation would be effective from 25 May 2018.

Research undertaken to mark the Data Summit Dublin event in June revealed that two thirds of businesses were unaware of their obligations under the GDPR, and almost half (47%) were unsure where data protection responsibilities lay within their company.

 

Audit advice

Businesses should conduct an information audit in order to determine what steps are required, says Linda Barry, assistant director at the Small Firms Association (SMA), which is working with the Office of the Data Protection Commissioner (DPC) to develop tools to support small businesses with GDPR compliance. “The outcome of the audit will be specific to each organisation, and it’s only by carrying out this process that they’ll understand what data they hold and how they use it.”

Maura Quinn, chief executive at the Institute of Directors, says buy-in from senior management is crucial at this stage. “Companies will need to examine existing data processing across the entire business to assess how they hold personal data; review data protection policies, procedures and controls; and identify any gaps that need to be addressed.

“It’s essential that company directors and employees are aware of the impact of the GDPR on their business and ensure they’re compliant in time, given the potential penalties, which include administrative fines and other significant sanctions. Directors also need to understand the significance of the GDPR in light of potential personal liability.”

 

Gap assessment

The compliance journey should begin with an objective gap assessment of the current state of readiness, which will typically lead to a programme of improvements that need to be tracked over time and used to demonstrate that the organisation has considered its position and is taking its compliance requirements seriously.

“A key early step is to put in place governance, accountability and planning processes that will set the company on the path towards compliance,” says Ivan O’Brien, advisory partner, head of risk services, at EY. “All businesses should have a view on the key information they hold, where the information is stored, who has access to the information, whether they still need the information and if so, how the information is secured and protected.”

O’Brien also observes that the GDPR carries stiff financial penalties for non-compliance. “In an age where media stories of data security issues are almost a daily occurrence, the fallout from a personal data breach could result in serious reputational damage for an organisation,” he warns.

 

Important office

The GDPR provides that all public authorities must appoint a data protection officer (DPO), as must private sector organisations that carry out regular and systematic monitoring of data subjects on a large scale or large-scale processing of special categories of data.

 

“It’s essential that company directors and employees are aware of the impact of the GDPR on their business and ensure they are compliant in time”

 Maura Quinn, chief executive, Institute of Directors

 

The DPO acts as an intermediary between stakeholders, including data protection authorities, data subjects and business units within an organisation, says Erik O'Donovan, head of digital economy policy at employers’ group IBEC. “A DPO can be a contractor or an employee of the organisation but should be a recognised expert in data protection,” he says.

The Article 29 Working Party, which consists of representatives from each data protection authority in the EU, has published guidance on DPOs.

 

Corporate responsibility

Where a business decides to appoint a DPO on a voluntary basis, it should be made aware that the requirements applicable to mandatory DPOs will also apply to the voluntarily appointed officer.

It’s also important to note that DPOs are not personally responsible where an organisation does not comply with the GDPR – compliance is ultimately the responsibility of the organisation, says O’Donovan.

“Therefore, in considering the appointment of a DPO or a lead person on implementing GDPR readiness, an organisation must ensure the appointee is adequately qualified and resourced for the role.”

The individual appointed to the role of DPO is required to have a significant level of expertise, not just in the area of data protection but also in the organisation and business sector, the regulatory requirements both nationally and internationally, the data protection risks in the business and the IT infrastructure of the business, says Eva O’Toole, business partner at Deloitte Ireland.

“Depending on the nature of the business, the DPO may be required to have specific expertise in areas such as international data transfers or sector-specific data considerations,” she adds.

 

Obvious obligations

Organisations of all sizes need to not just develop and implement a plan for complying with GDPR – they also need to ensure that changes are sustained, says Mike Harris, partner, cyber-security services, at Grant Thornton. “The GDPR will change business-as-usual activities, so organisations will never be fully finished with related activities,” he says.

If a business holds/processes personal data (whether for employees, customers or both), it will have some obligations under the GDPR, says O’Toole. “The level of responsibility will be determined by the amount of personal data it processes and the risks associated with the type of processing it does.”

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Tuesday, 20 November 2018
If you'd like to register, please fill in the username, password and name fields.

Member Login

Business Insights & Tips

Leaderboard

1
Michael Lane
789 Points
2
Jill Holtz
787 Points
3
Ron Immink
732 Points
4
Fionan Murray
696 Points
5
ContentLive
276 Points
View Leaderboard