One in five firms don’t know if they’re processing minors’ data
IRISH lawyers fear security breaches and international data transfers as their biggest “data protection risk”, according to a survey of 400 in-house legal staff by Mason Hayes & Curran.
The lawyers, from domestic and multinational firms and representing multiple sectors, also count a “lack of internal controls or documentation” as a significant risk, suggesting patchy practices in Ireland’s biggest companies.
And 40pc say that their organisation did not change their corporate cookie policies or banners in 2020, despite being told by Ireland’s Data Protection Commissioner to do so.
The results will raise questions over the level of compliance and security readiness employed by some of the biggest companies in Ireland.
“It’s not surprising that data breaches are top of the list in terms of data protection risks,” said Oisín Tobin, privacy and data security partner with Mason Hayes & Curran.
“Organisations are all too aware of the potential for plaintiff litigation by someone affected by a data breach, and we have seen an increase in civil litigation in this area. There is also the reputational risk to an organisation that suffers a data breach.”
Over two in five of those questioned cited “security breaches” as the biggest risk with 19pc singling out the transfer of data to the US, UK and other countries.
Separately, the survey showed that around one in three companies say they process the personal data of minors, mostly “with special safeguards in place”.
However, one in five said that they don’t know whether the data of minors is being processed or that it was without any special safeguards in place.
“One clear area of focus will be the processing of the personal data of minors,” said Mr Tobin. “The DPC released a significant set of proposed standards at the end of 2020 in this area, so it is clearly a priority for them.”
Last year, the Data Protection Commissioner Helen Dixon released new guidance around the use of cookies on websites in 2020. Of the 400 lawyers surveyed by Mason, Hayes & Curran, 50pc said that they had changed their cookie policies because of the new guidance.
However, a substantial minority (40pc) haven’t changed their cookie policies.
“After the DPC released their guidance on cookies, there was a six-month grace period to allow organisations time to examine their current practices and update them accordingly”, said Philip Nolan, head of privacy and data security for Mason Hayes & Curran.
“However, that grace period expired in October 2020 so organisations who haven’t reviewed their cookie policies should do so as a matter of urgency. They also need to remember that if they have any reach outside of Ireland, they will need to be cognisant of rules around cookies in different jurisdictions.”
The survey, which was carried out at a webinar attended by 400 in-house lawyers, comes ahead of international data protection day, which takes place this Thursday, January 28.