With Data Protection Day upon us, the threat of fines for companies ignoring data laws in future is set to rise an awful lot.
We recently learned that the EU agreed on a text for a new data protection package, with a regulation (GDPR) and directive (DPD) in the offing.
What that means was dealt with in fine detail by Daragh O’Brien, MD of Castlebridge Associates, a couple of weeks back.
But the basics are that, under the GDPR, the maximum penalty for companies breaching data protection legislation will rise from the current €250,000 up to €20m, or 4pc of global turnover, whichever is higher.
Data Protection Day
Those figures are huge, and it’s not lost on Matheson Partner Anne-Marie Bohan, who has a warning for Irish businesses.
“Given the findings of the Irish Computer Society that a third of Irish companies surveyed had experienced a data breach in the last 12 months, this is a serious issue for Irish business,” she said.
Irish businesses need a better understanding of personal data: where it is, where it comes from, who can access it, what it is used for and how it is secured. That should be a given, but now that tens of millions of euros are lined up as punishment, this should happen fast.
“Ultimate responsibility for data protection compliance will now rest firmly at management and board level,” said Bohan.
A new business
Data Protection Officers will be required in certain circumstance – public bodies, organisations that process particularly sensitive personal data or data relating to criminal offences – which Bohan feels could lead to a growth in outside help being required and outsourcing for expertise in the area.
“The new EU regulation is based on the principle of ‘privacy by design and by default’, in that data protection safeguards must be built into products and services from the outset and apply by default,” she said.
“Companies that store and process data must now ensure that data protection procedures are proactively built into every element of their product or service offerings.”
What’s interesting about these past few weeks in data protection doesn’t end with what is a major, international agreement on something sorely overlooked in recent years.
For the privacy advocacy group Digital Rights Ireland – which has proved very successful in recent history – is challenging whether or not the Irish Data Protection Commissioner is truly independent.
Gavel image via Shutterstock