Companies still confused about data protection requirements

It has been a year since GDPR legislation standardised data privacy across the EU, but how to comply has not always been obvious, says Mike Harris.

Already the emails, LinkedIn posts, and events to mark the one-year anniversary of GDPR have started arriving. As with the flurry of consent emails of last May, these confuse and distract from the ongoing data-protection requirements and often tend to be sensationalist.

All EU states have passed their own data-protection laws, and enforcement has begun in many countries, so where do things stand and how can organisations navigate the way forward?

The first year of GDPR has been a settling-in period for regulators and organisations. Fines, breach notifications, and reporting are all still a grey area, pending more detailed guidance and examples from the data protection authorities and/or the courts.

There has been initial guidance on certifying organisations’ data-protection compliance. However, there is no formal, approved certification mechanism to give organisations a means to prove compliance.

Over the last year, there have been lots of GDPR myths and misunderstandings. There have been claims that the GDPR prevents people from taking pictures at children’s communion, or from getting details of hair dye colour in a hairdresser’s.

These have all muddied the waters. It has made it harder to separate the wheat from the chaff of actual meaning. There remains a great deal of confusion in much of the understanding of data-protection requirements.


A pragmatic view is needed to help organisations create the operational policies and processes to become compliant with GDPR. Rather than getting lost in the often academic and esoteric details, those tasked with GDPR compliance should focus on an approach that is appropriate for their organisation and its business model.

That approach should be sensible and cost-effective and easily defensible to the regulator. Fundamentally, organisations should assess their current data-protection environment and define a target operating model, incorporating the elements of people, process, and technology.

  • People: Incorporating awareness and training; and data protection and related policy formulation.
  • Process: Instruction documentation that provides structure guidance when dealing with personal data, thereby setting the business up for success. This includes policies, a record of processing activities (a detailed listing of all process containing personal data required to be kept under GDPR), and an analysis of high-risk processes and their associated controls (referred to as Data Protection Impact Assessments, etc)
  • Technology: Updating and deploying technology to securely find, store, amend, and delete personal data in a controlled, systematic fashion

These elements are especially important now, based on an understanding of the volumes and demands on any data-protection function. This will clearly depend on the nature and volume of personal data that an organisation processes: For example, a retail versus a business-to-business company. Data-protection certifications and training courses are valuable and worthwhile pursuits.

However, many organisations are struggling to bridge the gap from theory to practice. Conferring the title of data-protection officer does not necessarily bestow the necessary know-how to enact data protection in the organisation.

Organisations should take a risk-based view, as is called for in the regulation. The risks to be considered are the risks to the people whose data you process, remembering, of course, that processing is widely defined, and even includes simple storage of data.


Once an operating model for data protection is developed, it’s vital that organisations confirm, through rehearsal, that it is fit-for-purpose. This allows the opportunity to course- correct or adjust to organisational idiosyncrasies that might not have been apparent from the development work.

It’s vitally important for organisations to practice both subject rights responses and what it would do in the event of a data breach. Having to work out the steps in the process while under significant time pressures, and in the heat of the moment, clearly should be avoided. Organisations should have simple scripts that are ready to follow and which will work in most circumstances.

Fundamentally, putting data-protection structures and guidance in place across people, process, and technology (in that order) is key. This will mitigate short-term GDPR risks and create a long-term data-protection culture.

Mike Harris is partner and cyber-security expert at Grant Thornton Ireland.

More on this topic

Helen Dixon reappointed as Commissioner for Data Protection for second term

Majority of 6,624 GDPR complaints deemed valid

Google to cooperate fully with data protection investigation

Amazon ‘listens to what users say to Alexa’

More in this Section

How do you talk to children about murder?

Climate change proposals: Our survival depends on huge change

Tories choose Brexit over NI: True blues show true colours

Majella Moynihan was punished because we wanted her to be


Tracing the roots of folk and fairy lore behind everyday plants

More From The Irish Examiner