New data regulations top event’s agenda
LEADING figures from finance, technology, the legal profession and public sector are among the many delegates attending the DataSec 2017 conference which takes place in the RDS Concert Hall, Dublin, on May 3.
The conference is focused on the General Data Protection Regulation (GDPR) which comes into effect in May 2018. Key Irish and international speakers will address the event. The GDPR replaces all current data protection regulations and will result in significant changes in how the public and private sectors across the European Union and beyond deal with consumer data.
While the upside to complying fully with the new regulations is improved workplace efficiency and consumer confidence, the penalties for non-compliance are even greater — fines of up to €20m or 4pc of worldwide turnover, as well as the possibility of civil suits.
The conference will provide expert speakers in IT, data protection and law to help Irish businesses and public sector bodies comply with GDPR.
One of the expert speakers at the conference, Data Protection Commissioner Helen Dixon, said that while some Irish businesses may feel that the GDPR does not apply to them, full implementation of the regulation should be an immediate and urgent concern. “The GDPR is big news because it can’t be business as usual for any type of company or public sector body after May 2018,” she said.
Harry Leech
THERE are now fewer than 400 days to go until the General Data Protection Regulation (GDPR) comes into effect. This piece of legislation becomes law in May 2018 and will result in significant and far-reaching changes in how companies deal with information it holds on any EU citizen.
Under the GDPR all companies and organisations will have to adopt stringent procedures when it comes to collecting, protecting, and storing that data belonging to EU citizens.
These will include data ‘anonymisation’, a requirement to notify consumers on which you hold any data within 72 hours if a breach occurs.
Here we answer some of the most commonly asked questions about the legislation.
WHAT CONSTITUTES ‘DATA’?
Under the GDPR it is not just information such as passwords, pin numbers or dates of birth that companies and other organisations will be legally obliged to protect and treat ethically, but anything that could be construed as ‘personal data’.
This includes data subjects’ location data, social security numbers, IP addresses, email addresses, as well as any and all details on physical characteristics such as age, race, physical attributes, or gender.
WHY IS THE GDPR NEEDED?
There were two main problems with the data legislation that the GDPR replaces — the first was that it was outdated (pre-dating companies like Facebook, Instagram, Twitter, Snapchat etc).
The second issue is that the penalties were far too low. For example, some companies saw a potential fine for an illegal direct marketing campaign as part of their budget. That will not be possible under the new legislation.
FINANCIAL PENALTIES
The penalties are significant by any measure — for “very serious breaches” the penalties reach €20m or 4pc of total worldwide annual turnover (whichever is greater).
The company found to be negligent can also be sued by the data subject.
Even if there is no proof that the consumer has suffered material damage, if the company cannot prove their compliance with the GDPR, they can be subject to a civil claim.
Recent research has also shown that serious data breaches negatively effect consumer and investor confidence, and can hit share prices hard.
WHO (OR WHAT) IS A DPO?
Under the GDPR many companies will be required to appoint a Data Protection Officer (DPO) to oversee how consumer data is collected, stored and disposed of.
For small companies which do not collect much consumer data this may be someone who takes on the role overall responsibilities in the company.
For consumer-facing companies which collect a lot of consumer data, the role will likely have to be a dedicated position.
The role will not be a middle-management appointment either — under the GDPR, the DPO must report only to the CEO of the organisation. It is permissible to appoint a third party consultant as your DPO.
ARE WE STARTING TOO LATE?
Many Irish companies are aware that the GDPR is coming, but the vast majority are not sufficiently prepared.
Only 6pc of those questioned in a recent survey by the Irish Independent said their GDPR plans were at an advanced phase.
The figure is very low and the fact that others are not ready either will not be a defence once the legislation is in place.
WHERE SHOULD OUR COMPANY START?
The first thing is to get started as soon as possible — this legislation is not a simple IT or HR fix.
It will likely involve an organisational overhaul in how your company treats consumer data, which will need to be addressed on an ongoing basis.
The second is to appoint someone — a qualified member of staff or outside consultant — to oversee the process, and to begin implementing some of the more straightforward practices, including amending consumer privacy statements.
The final, and perhaps most important, part is to begin the process of training staff, as compliance with this legislation is only possible if every member of your organisation is aware and actively implementing it.