GDRP: organisations can’t afford to ignore new EU rules on data privacy

Daniel McLaughlin, MCL Services.
Daniel McLaughlin, MCL Services.

Organisations cannot afford to ignore new rules of storing, processing and sharing people’s information, local experts have warned.

The ‘Journal’ has sought the views of Derry-based specialists working in the fields of internet security, human resources and law on why all businesses and organisations should be prepared for today’s implementation of the EU General Data Protection Regulation (GDPR).

Derry-based cyber security expert, Daniel McLaughlin, claims that local businesses were “not prepared for the scale of changes coming.”

“Since 2016, MCL Services has been helping businesses across the UK and Ireland to understand the full scope of GDPR’s requirements on their operations,” he said. “However, I fear there are many more out there which have not grasped the magnitude of the changes or the potentially business-ending consequences of being non-compliant.”

In simple terms, GDPR requires all organisations or individuals who store, collect or manage the data of people living in the EU, to comply with new rules on privacy, user consent and the notification of data breaches.

“GDPR,” adds Daniel McLaughlin, “includes wider reaching definitions of what constitutes personal data. It increases an organisation’s obligation when it comes to storing and processing this information securely. There must be a lawful basis for processing the data with consent being only one option – in other words the who, what, when, where, why of the storing, processing and sharing of information. At the heart of the regulation’s design is the protection of people’s privacy. It requires any organisation - from sole traders to multinational companies - to comply with any person’s request to erase, migrate or deliver information about them. Companies are obliged to demonstrate that they have policies and procedures in place to protect this data and are transparent about what they are doing with it.”

The new regulation is, said human resources and employment law consultant, Martina McAuley, from HR Team, having a “very significant impact”on how employers handle employee information.

“The implications of the new regulation will be felt throughout the organisation, not least in HR departments,” she claimed. “Employers should, by now, have reassessed how they handle employee data in order to avoid risk of breaching the new rules. Those who haven’t are best advised to act now. Any employers who assume this new regulation does not apply to them may well find themselves facing crippling penalties down the line.

“Of course, it is necessary for organisations to process the personal details of staff, but employers need to be aware of the new changes surrounding the storage and protection of employee data. The new regulation brings the legal basis for processing such data into much sharper focus. “

Ms. McAuley said it was important that senior management/board members are fully aware of the risks of being found in breach of the regulation.

“It’s crucial that data processing methods in organisations’ employment lifecycles are reviewed to identify any potential risk areas. Also worth considering is the appointment of a suitably skilled compliance officer or team to develop, deliver and oversee a GDPR compliance plan for staff to adhere to.”

Philip Gilliland, Managing Partner and head of Commercial Law at Caldwell and Robinson Solicitors, added that organisations which deal directly with consumer data will have a larger task than others in achieving compliance.

“For businesses, it’s all about sensibly managing risk,” he said. “Most businesses that sell to other businesses will not need to reinvent the wheel to be GDPR compliant, but those which deal directly with consumers, or that regularly handle sensitive personal data, may find that they need to do more.”

Mr. Gilliland said the new GDPR has implications for ‘virtually every business in Ireland,’ north or south.

“All businesses need to ask themselves what personal data they hold, why they hold it and how long for. Being GDPR ready means having the right privacy notices in place, ensuring that your systems and processes can cope with individual data requests and protecting against data breaches.

“The implications of getting it wrong can be very costly for business, both in terms of fines and damage to reputation,” he maintained.

The consequences of non-compliance under the GDPR can include fines of up to €20m or 4% of an organisation’s revenue - whichever is highest. These fines can be levied regardless of the size of an organisation.

There is also the potential for spin-off costs associated with negative exposure and any loss of public confidence that accompanies media coverage.

According to survey results released last month, only 22% of NI businesses felt sufficiently prepared for the GDPR, with more than half (52%) saying they were only ‘somewhat prepared’ and a quarter (25%) claiming that they were ‘not at all prepared.’