A new survey has been conducted by Mazars and McCann Fitzgerald on Irish businesses around their levels of GDPR readiness, and the results are not pretty. An astounding three quarters of businesses surveyed say that they’re not ready for the GDPR, which comes into effect in six months time. This latest insight into how the new EU data protection regulation will affect Irish businesses has revealed that they are facing serious levels of difficulty in complying with the new rules.
GDPR is coming. Rapidly, as it so happens, and at the time of writing there is just over 6 months to go until the 25th May 2018 deadline for compliance. Since the GDPR was adopted by the EU in 2016, businesses have been trying their best to understand the impending data protection regulation and, ultimately, ensure they are compliant. The GDPR is no straight-forward matter, though, as much of the phrasing is purposely vague to allow for possible technological advances, and to ensure that the regulation itself does not become obsolete in the near future. The idea is that if the GDPR specified which technologies were to be employed by a business in order to safeguard its data, it may be superseded by new technologies – thus reducing the effectiveness of the regulation. A key GDPR requirement, under Article 32, states that data controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing”. But what exactly does state of the art mean?
The EU has specifically worded some GDPR requirements in a vague manner, to ‘future-proof’ them from technological advances
With the EU General Data Protection Regulation (GDPR) only 8 months away from coming into force, surveys are showing that many businesses across the UK and Ireland are still confused about exactly what the regulation means for them, and may be unprepared for GDPR. A survey conducted of over 1000 IT decision makers revealed that 64% were unaware that customers’ birth dates are considered personally identifiable information (PII), which is especially worrying as any mishandling of such data could constitute a breach of the GDPR and result in fines of up to €20 million. 42% did not realise that email marketing databases contained PII, 32% did not consider physical addresses to be and 21% did not even consider customer email addresses to be PII. In contrast, 85% of these survey respondents reported that they have reviewed the GDPR requirement thoroughly and 79% believe they have done everything they need to do to secure their data. This disparity marks a worrying trend for businesses, big or small.
The GDPR comes into full effect on the 25th of May 2018 – and no one wants to be made an example of
With the GDPR now less than 8 months away from becoming enforceable, businesses all over the EU and indeed any company that conducts business with EU citizens are scrambling to prepare in time for the legislation. The upcoming General Data Protection Regulation was designed to give back clarity and control to users about how their sensitive data is being processed and held, but has led to quite a bit of confusion for businesses about how this will actually work. Most people will have heard about the increased fines, as regulators can now fines offending bodies up to €20 million or 4% of global turnover, but there is a lot of confusion and indeed misinformation and misinterpretation out there to make the process even more difficult. To this end, there’s a few things we’d like to set the record straight on, particular around consent. Over the coming weeks and months we hope to provide more guidance of areas prone to misinterpretation, so stay tuned!
Myth: You must always have consent to process someone personal data.
With the stakes so high, it can be hard to tell the difference between important guidance and scaremongering when it comes to the GDPR
GDPR, the EU’s new set of data protection laws, is coming in May of 2018. It is a complete overhaul of how user data is processed by companies and will supersede Irish law, consolidating Europe’s various national laws into one comprehensive regulation. GDPR is all about accountability, and as such, places equal responsibility on both businesses who hold EU data and any third-party providers that may process/hold data on their behalf. In practical terms, that means that if you outsource any aspect of your business, such as payroll to an external HR company, then both parties must be GDPR-compliant, even if the out-sourced company is not based in or even near the EU. So what does this mean for companies who outsource data processing or host data in the cloud outside the EU? Well, it means Microsoft’s suite of cloud services such as Office 365, SharePoint and Azure are now looking a lot more appealing – as Microsoft are offering contractual commitments to their clients to comply with the GDPR in time for the May 2018 deadline.
Microsoft Cloud has promised to be GDPR-compliant as deadline looms
According to Rich Sauer, Microsoft’s Corporate Vice President, “Trust is central to Microsoft’s mission to empower every person and every organisation on the planet to achieve more. So that you can trust the Microsoft products and services you use, we take a principled approach with strong commitments to privacy, security, compliance and transparency.”