Irish businesses will have to pay more attention to their data protection procedures in future as a new EU Regulation to be approved by the EU Parliament in the coming days threatens companies with huge fines in the event of a data breach. This was the message from Matheson Partner Anne-Marie Bohan, ahead of the legal firm’s annual Data Protection Day briefing to be held today.
The General Data Protection Regulation (GDPR), aimed at developing a more coherent and uniform data protection regime across the EU Member States, will require Irish companies to ensure privacy is in-built into systems and products, and to report privacy breaches to authorities, or face sanctions of as much as 4% of global revenues, which supporters believe will motivate organisations to reassess their data protection policies.
Bohan noted, “Misuse of customer data or data breach will be an expensive mistake for Irish businesses and given the findings of the Irish Computer Society that a third of Irish companies surveyed has experienced a data breach in the last 12 months, this is a serious issue for Irish business.”
“The considerable risk associated with noncompliance means that Irish businesses – both indigenous and international companies operating in Ireland – need to have a better understanding of where the personal data in their organisations is stored, who has access to it and what it is used for, and how it is secured. Ultimate responsibility for data protection compliance will now rest firmly at management and board level,” she added.
The new regulation will also seek to address the perceived lack of this specialist capability within businesses by requiring larger companies to appoint a Data Protection Officer (DPO). The role is well defined with a requirement for the position to report to the top level of management with significant employment protections in place. Bohan was of the view that smaller organisations will need to consider an out-sourced data protection advisor and that this will become a growth area of service for the firm in the coming years.
Bohan also emphasised that the “The new EU regulation is based on the principle of ‘Privacy by design and by default’, in that data protection safeguards must be built into products and services from the outset and apply by default. Companies that store and process data must now ensure that data protection procedures are pro-actively built into every element of their product or service offerings.”
Ireland will have an important oversight and enforcement role, as a European hub for social media, financial services and technology companies. Ireland’s Data Protection Commissioner, Helen Dixon, who will speak at the same briefing, emphasised the increase in skilled resources the Irish data protection authority has brought on board in the last 12 months – lawyers, technical compliance specialists, security technology auditors among otheers – and set out details of the ongoing specialist recruitment to th authority. She outlined that “The increase in skilled resources at the Irish DPC is already allowing us to respond faster to identified areas of risk to the data protection rights of individuals and combined with the increased enforcement focus of the forthcoming General Data Protection Regulation, both public and private organisations would be well advised to renew their focus now on their obligations under the law to protect the individual’s right to data privacy“.