The February Dublin Data Sec 2018 survey of 350 Irish businesses survey found that less than half of Irish businesses are prepared and in the same month the UK Federation of Small Business survey found that more than 90% of small businesses are still not ready.
Some elements of GDPR will be more relevant to certain organisations than others but in general the new directive means that businesses must:
- Carry out risk assessments.
- Understand where all data resides and ensure it is protected.
- Implement appropriate systems to minimise risk.
- Notify authorities within 72 hrs of a breach.
- Inform people impacted.
- Implement full data protection.
- Appoint a data controller.
The potential risks to organisations for non-compliance include fines of up to €20m or 4% of global turnover – whichever is greater.
Whilst fines can be large, Elizabeth Denham, Information Commissioner, ICO says “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
If you are compliant with current law, then most of that should remain valid under the GDPR. However, there are new elements and enhancements which will need to be considered by all organisations involved in processing personal data.
GDPR – what you need to do
- Document the information you hold, where it came from and who you share it with.
- Ensure management team and key employees are aware.
- Review how you seek, record and manage consent.
- Do you need a DPO (Data Protection Officer)? If you do, assign one.
- Ensure procedures are in place to detect, report and investigate a data breach.
- Check procedures to ensure they cover individual’s rights, including how you would handle requests and delete personal data.
It is important to note that the GDPR makes it easier for individuals to bring private claims against data controllers when their data privacy has been infringed. It also allows them to sue for compensation.
More information available on the Information Commissioner’s Office website and the EU GDPR website.
The ICO also has a nice little survey to kick start you: Getting ready for the GDPR.
The Irish Data Protection Commissioner also has a checklist and Ibec has prepared some excellent guides.