Mazars and McCann FitzGerald have released their third report on the awareness and understanding of Irish business for the General Data Protection Regulation (GDPR), the first report since GDPR’s introduction in May 2018.
Six months on and Irish businesses appear to be optimistic about compliance with the GDPR as 88% say they are confident that they have correctly interpreted their GDPR obligations while 84% of organisations are satisfied that they are materially compliant with GDPR.
Although 68% of businesses found it challenging to put the necessary GDPR compliance structures in place, there is also a shared belief that the introduction of GDPR has been a positive development for society with 82% of businesses agreeing or strongly agreeing that GDPR has been beneficial for individuals.
Paul Lavery, Partner and Head of Technology & Innovation, McCann FitzGerald, said “An interesting aspect of the research is the air of confidence among organisations of their understanding of GDPR. Nobody said the road to GDPR compliance would be easy but most organisations have found it to be a worthwhile, albeit, at times painful, exercise in terms of information governance, something they may not have done otherwise. There are requirements that are continuing to be challenging to address and there is an awareness of areas where they are at risk of non-compliance. However, overall organisations are cautiously optimistic. This optimism is likely to be tested in the coming months as enforcement actions and data subject activism start to kick in.”
Liam McKenna, Partner with Mazars, said “We see that although there is still work to be done, the majority of businesses are adapting to the new legislation. The research shows positive action among the business community, as evidenced by the appointment of Data Protection Officers, the investment of financial resources as well as the proactive reporting of data breaches. However, it is clear that embedding compliance into business as usual functions, in order to demonstrate accountability, is proving challenging. Although a baseline level of compliance has been achieved, organisations are continuing to develop so as to manage data protection risks. It is crucial that businesses are in a position to meet their growing needs and adapt to changes in the external environment that will impact their business, for example the ongoing emergence of new technologies and Brexit”.
Of all the aspects of GDPR compliance, the majority of businesses (33%) have found the creation and maintenance of records of processing activities to be the greatest challenge. Other particular challenges have been the documenting and evidencing of compliance (21%) and addressing security obligations (15%).
The report found that organisations are not relying on just one legal base for the processing of their data; each of contracts, legitimate interest and compliance with legal obligation are relied upon as legal basis for processing by just over 50% of respondents. Consent is slightly less widely used and 54% of respondents said that they found meeting the requirements in relation to consent to be challenging or extremely challenging.
Since the introduction of GDPR in May 2018, individuals appear to be more aware and keen to exercise of their rights with 56% of businesses reporting an increase in data subject requests since the introduction of GDPR.
Around 68% of respondents (many of which are organisations for whom a DPO is mandatory) have appointed a Data Protection Officer (DPO) and of those organisations, 52% insourced the appointment of their DPO while 16% chose to outsource. 34% of organisations who appointed a DPO said they found it was not at all difficult to source and appoint a DPO while 32% found it very difficult.
Another trend noted is the seniority of the role with 62% of organisations saying that their DPO will report to C-Level executives including the CEO.
Gearing up for and implementing GDPR compliance has been a costly exercise with 61% of businesses admitting that costs were either a little or a lot more than expected. 58% of businesses calculated that internal and external GDPR-related costs to date such as IT, audit, legal and training, were between €50,000 and €250,000.
With 56% of firms reporting that GDPR compliance has placed an excessive administrative burden on their organisations, further investment will be needed to ensure that ongoing compliance is sustainable. Businesses that have been relying on manual processes will need more automated solutions in the future, particularly since potentially labour-intensive activities such as maintaining an active record of processing or documenting and evidencing compliance are identified as areas of concern from an enforcement perspective.
Looking ahead, 84% of companies said that they had either implemented or intended to implement IT solutions to support delivering and demonstrating their compliance with GDPR. Of the 84%, the majority of businesses (30%) expected to invest between €50,000 and €250,000 in implementing these IT solutions.
Also, when asked about future plans for GDPR in light of Brexit, companies are adopting a wait and see approach with 50% saying that they are waiting for further developments before they make a post-Brexit plan.