Time is running out for organisations to put plans in place to comply with the significant European data protection law next May, warns the Data Protection Commissioner’s office, writes Pádraig Hoare.
Research has revealed a third of Irish businesses have yet to begin taking steps for the EU’s general data protection regulation (GDPR), despite serious consequences for firms if they do not comply.
Dublin tech firm Wizuda found less than two-thirds of Irish companies (64%) have actually started on their path to GDPR compliance. Just 69% of companies claimed GDPR compliance is a top priority for their organisation.
More than a quarter of businesses said other projects were of a higher priority than a plan to comply with the GDPR.
This is despite more than half of firms saying they expect a data protection audit in the next 18 months.
The Data Protection Commissioner’s office said planning has to be taken seriously by organisations.
A spokesman said: “Many organisations have grasped at a high level the implications of the GDPR for their businesses. However, their specific steps and actions are much less defined.
“It is critical that organisations should now be pulling a GDPR readiness plan into action, and mobilising the effort and resources required to be compliant by May 2018.”
The office has stressed that compliance need not be one that causes “anxieties” for companies.
“The sooner you begin to prepare for the GDPR, the more cost-effective it will be for your organisation,” the office states in its information literature.
The regulation was ratified following four years of negotiation, replacing the existing directive on data protection.
Unlike an EU directive, which can be implemented over a certain time, the regulation is made law once it begins in May 2018, meaning penalties can be imposed from day one.
The regulation is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy. It not only applies to organisations within the EU but also to firms that do business inside member states.
If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
Wizuda commissioned Amárach Research to conduct research across 175 organisations, focusing on SMEs and targeted IT leaders.
The Data Protection Commissioner has engaged in a significant information campaign to increase awareness in recent months.
Cork Chamber has also made GDPR preparation one of its key focuses for its members over recent months.
Chief executive Conor Healy said it was vital that firms did not underestimate the new regulation.
“It is something that is very important for all businesses to be conscious of, and for them to have plans in place. People are generally aware of the legislation and that it is coming in May next year — but they may feel there is still time in the new year to begin.
“However nobody should underestimate the work that needs to be done when it comes to the GDPR. It is important to have a GDPR champion within an organisation that knows what is needed.
"I would urge all businesses that have not begun to implement their plans to do so as soon as possible.”