This article was originally published in the Irish Independent on 27 April 2017.
Experts have warned that Irish organisations aren’t GDPR ready and urgently need to prepare for the tough new data-protection laws which come into effect next year. Much of the preparatory work will fall on lawyers.
The legal profession has an uphill struggle in making Irish organisations aware of the implications of the General Data Protection Regulation (GDPR), according to Mark Adair, a technology-focused law firm partner.
12 months to get GDPR ready
Mr Adair says that given the scope of the new laws and the proximity to their enforcement, he and his colleagues are quite concerned that Irish organisations are not better prepared.
“As we are just over 12 months away from the GDPR coming into force, we would have expected organisations to be there or thereabouts by now, but many are not,” he said.
“The bigger organisations that have access to large in-house legal teams and IT specialists are certainly further along than the SME sector, but it’s important to remember this legislation will not just target the large social media companies, the banks and multinationals, it is for everyone. Organised clients are getting help now.”
Companies must train staff, review and change client contracts, amend privacy statements on electronic communications and learn how to deal with data access requests, as well as addressing security processes before the rules kick in.
Tougher new privacy laws
Mr Adair says that there is a fundamental misunderstanding in many organisations, which believe that the new regulation is purely a matter for IT security who will deal with getting GDPR ready.
“The GDPR is in essence a privacy law with the aim of protecting people, which is something that tends to get lost when technology experts start to talk about the effects it will have on business,” he said.
“That’s the message that we are giving to clients, and it is interesting to see the lack of awareness that there is out there – some people are coming to us who are only now starting to investigate what GDPR will mean for their business, and there are others who know about GDPR but don’t know what steps they need to take in order to be compliant.”
Remedies for data subjects
He warns that GDPR will trigger a boom for some litigation lawyers.
Under the GDPR if a data subject believes their personal information has been handled in a non-compliant way their remedies range from lodging a complaint with the Office of the Data Protection Commissioner, to taking a case against the data processor in court and seeking compensation.
Each of those rights is exercisable and the individual is under no obligation to go through all the steps before taking legal proceedings. If an aggrieved client has the will and the means, they can take the organisation in question to court straight away, under the new rules.
Taking action now
According to Mr Adair, Irish businesses should not take the risk and emphasises that it is now time to start getting GDPR ready and preparing hard for the new legislation. This is particularly true for SME’s, many of whom are of the belief that the new law is something aimed solely at bigger companies.
DataSec Conference, Dublin
Mark Adair is one of the experts speaking the DataSec 2017 Conference taking place on 3 May 2017 at the RDS, Dublin, Ireland.
The event will provide expert speakers, information and insight to help your business comply with GDPR and get the most out of the new legislation. Click here to book your place now.
Photo credit: Pixabay