Looming actions will test how well organisations have applied GDPR

26 Nov 2018

From left: Paul Lavery, McCann FitzGerald; Annette Hogan, McCann FitzGerald; and Liam McKenna, Mazars. Image: Shane O’Neill/SON Photographic

Despite the challenges, firms are upbeat about how they have complied with GDPR so far.

Six months after the General Data Protection Regulation (GDPR) came into law across the EU, the majority of Irish businesses (88pc) say they are confident that they have correctly interpreted their obligations.

That’s according to a study by Mazars and McCann FitzGerald, which also found that 84pc of organisations say they are satisfied that they are materially compliant with GDPR.

‘This optimism is likely to be tested in the coming months as enforcement actions and data subject activism start to kick in’

Around 68pc admit they found it challenging to put the necessary compliance structures in place. Despite this, there is a shared belief among 82pc of businesses that the new regulations have been beneficial for individuals.

Are firms just a little too confident?

But how well firms have applied their interpretation of the new regulations will be tested, as a slew of enforcement actions and activism prompted by new civil powers will enter the fray.

“An interesting aspect of the research is the air of confidence among organisations of their understanding of GDPR,” said Paul Lavery, partner and head of technology and innovation at McCann FitzGerald.

“Nobody said the road to GDPR compliance would be easy but most organisations have found it to be a worthwhile – albeit at times painful – exercise in terms of information governance, something they may not have done otherwise. There are requirements that are continuing to be challenging to address, and there is an awareness of areas where they are at risk of non-compliance.

“However, overall, organisations are cautiously optimistic. This optimism is likely to be tested in the coming months as enforcement actions and data subject activism start to kick in.”

The road to GDPR

Of all the aspects of GDPR compliance, 33pc of businesses have found the creation and maintenance of records of processing activities to be the greatest challenge. Other particular challenges have been the documenting and evidencing of compliance (21pc) and addressing security obligations (15pc).

Organisations are not relying on just one legal base for the processing of their data; contracts, legitimate interest and compliance with legal obligation are relied upon as legal basis for processing by more than 50pc of respondents. Consent is slightly less widely used and 54pc of respondents said that they found meeting the requirements in relation to consent to be challenging or extremely challenging.

Since the introduction of GDPR in May 2018, individuals appear to be more aware of and keen to exercise their rights, with 56pc of businesses reporting an increase in data subject requests since the introduction of GDPR.

68pc of respondents (many of which are organisations for which a data protection officer [DPO] is mandatory) have appointed a DPO. Of those organisations, 52pc insourced the appointment of their DPO while 16pc chose to outsource. 34pc of organisations that appointed a DPO said they found it was not at all difficult to source and appoint one, while 32pc found it very difficult. Another positive trend is the seniority of the role, with 62pc of organisations saying that their DPO will report to C-level executives, including the CEO.

“We see that although there is still work to be done, the majority of businesses are adapting to the new legislation,” said Liam McKenna, partner with Mazars.

“The research shows positive action among the business community, as evidenced by the appointment of data protection officers, the investment of financial resources as well as the proactive reporting of data breaches. However, it is clear that embedding compliance into business-as-usual functions, in order to demonstrate accountability, is proving challenging.

“Although a baseline level of compliance has been achieved, organisations are continuing to develop so as to manage data protection risks. It is crucial that businesses are in a position to meet their growing needs and adapt to changes in the external environment that will impact their business – for example, the ongoing emergence of new technologies and Brexit,” McKenna added.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years