A new survey has been conducted by Mazars and McCann Fitzgerald on Irish businesses around their levels of GDPR readiness, and the results are not pretty. An astounding three quarters of businesses surveyed say that they’re not ready for the GDPR, which comes into effect in six months time. This latest insight into how the new EU data protection regulation will affect Irish businesses has revealed that they are facing serious levels of difficulty in complying with the new rules.
The Office of the Data Protection Commissioner has stated that there will be “no leeway” for non-compliance come May
When asked about the difficulty of achieving compliance in the necessary time frame, some 95% of businesses described it as “challenging or extremely challenging”, a considerable increase in the sentiment from this time last year.
The survey also showed that 75% of Irish businesses believed they “will require significant changes” to their existing data protection protocols, policies and procedures in order to reach compliance.
However, if businesses were hoping to be gently eased into the regulation come May 2018, they may be in for a sharp surprise. The Irish Data Protection Commissioner, Helen Dixon, will be responsible for ensuring the GDPR is adhered to in the country, and she has stated that there will be no leeway or second chances for companies who fail to comply.
With fines of up to €20 million or 4% of global turnover potentially handed down to companies who are found to be non-compliant, the GDPR could prove to be a very expensive lesson to learn the hard way. One thing’s for sure, no company wants to be the first one to be made an example of, which is sure to happen once the regulation is in full effect.
The GDPR is heavily focused on the concept of ‘data privacy by default and design’ and requires companies to implement “appropriate technical and organisational measures” in order to safeguard user data. This has also led to some confusion by Irish businesses who are unsure what “state-of-the-art” technological measures are specifically, as the GDPR is somewhat vague in its wording around specific technological requirements.
We always advise a layered and comprehensive approach to cyber security and implementing technical data protection measures is no different. The safest course of action, which is often the cheapest in the long run, is to follow industry best practice as much as possible. Even if a company is not 100% ready for the GDPR in May, if they are actively embarked on their journey to compliance, the Irish DPC will take this into account and hand down a considerably lower fine in the event of a data breach.