April may be the cruellest month in poetry, but for businesses May is the one to watch. This year, on May 25th, the EU’s General Data Protection Regulation (GDPR) comes into force, providing a legal framework governing the way personal data is gathered, stored and used.
"I'd almost equate it to Y2K in terms of the sense of impending doom that is growing up around it," says Gordon Wade, a solicitor with KPMG Legal Services.
In fact, it’s not that bad. “It’s not going to be a revolution so much as an evolution. A lot of the data protection principles in it are the same as were already in force,” he says, but with two big caveats.
For a start there are many more ways for businesses to collect data than there were when the previous data protection regulations were drawn up. "That was back in 1995. Mark Zuckerberg was 11. The Data Protection Directive as it was never foresaw the advent of things like Facebook or Fitbits, and wasn't set up for them."
Any business that deals in personal data must now run a compliance rule over elements of their business such as social media usage and internet of things-style smart devices.
“But what really is huge about GDPR is the fact that it brings penalties for those found to be in breach of the law, which is something we didn’t have before – fines of up to €20 million or 4 per cent of global turnover,” says Wade.
Where breaches occur, GDPR may even pave the way for class actions to be brought before Irish courts, a new departure here.
Personal data
“For businesses that don’t yet have a GDPR strategy the real issue now is that there isn’t a lot of time left, which means assessing what personal data they hold, why they hold it, how did they get it and what are they doing with it.”
This applies not just to businesses that bundle up customer data and sell it on, but those undertaking traditional activities such outsourcing their payroll function to a third party.
The new rules also encompass everything from privacy policies on websites to privacy training for staff and ensuring adequate cyber security measures are in place. It will have a bearing on marketing activities too, such as direct marketing, and even on customer relationship management (CRM) software.
As a business you may hope to rely on having a “legitimate interest” in holding names, addresses and other details for marketing purposes should a case come to court. But you still need to trawl through your CRM database to ensure you have the requisite permissions to hold such data and, if not, you may have to purge them.
“In some cases people are actually looking forward to the first fine under GDPR so that they can see what they are dealing with,” says Wade. For now there is a lot of fear around, and with good reason: “The fines could potentially be business-ending.”
Challenging
Awareness of the problem is at least growing. In November professional services firm Mazars and law firm McCann FitzGerald released a second annual report on the GDPR-readiness of Irish businesses.
It found 95 per cent of respondents felt that meeting their compliance requirements will be challenging or extremely challenging, up 13 per cent on the previous year.
Some 73 per cent of organisations had by that stage at least begun to tackle the issue, up from just 16 per cent the previous year.
Despite this increase in activity – or perhaps because of it – 75 per cent believed their current data protection and privacy notices, and methods of consent, will require significant changes, a rise of 42 per cent on the previous year.