Partner, Grant Thornton Ireland
With GDPR arriving in May, Irish organisations must ensure their data protection processes are transparent, accountable and secure, says Grant Thornton Ireland.
Any business that handles personal data has until May 25th 2018 to comply with the new EU General Data Protection Regulation (GDPR) or face potential fines.
This comes as the EU replaces its existing data protection framework in order to strengthen citizens’ privacy by making organisations more transparent, accountable and secure when it comes to the personal information they keep.
GDPR will provide individuals with more power to discover what personal information organisations hold and get it deleted. Mike Harris, partner at professional services firm Grant Thornton Ireland, says organisations need a structured approach to ensure they comply. “GDPR will achieve consistency across the EU regarding data protection and for most organisations it will require a change in culture in how they handle personal information,” he says. Harris adds that organisations must take a project-managed approach to achieving compliance. This means setting milestones and having governance procedures in place.
To get ready for GDPR, companies should:
Formulate a plan, by analysing what they are doing now and seeing what gaps must be plugged to meet GDPR rules. Asking: How is consent managed today? This could mean updating privacy policies or improving technology and systems relating to data security
Implement their plan, by closing the gaps they have identified before May 25th. This might include formulating a new data-breach plan and having processes in place to handle an individual’s request to see what personal data the organisation holds on them. This must be supplied for free within one month. GDPR also needs to be communicated effectively to staff and suppliers who must be able to recognise, for instance, when a data breach has occurred.
Ensure ongoing compliance, by introducing processes that make sure data security and compliance remains up to date. People must have an opportunity to remove consent, for example, and the reason an individual’s data is being requested, must always be very clear. There must also be a process that means personal data is deleted if it is no longer needed for the purpose for which it was originally collected.
Harris says organisations should adopt a ‘privacy by design’ approach so that existing and future technology and marketing systems have GDPR-compliant privacy settings built in. It is also important that organisations work with the companies in their supply chain to ensure they are also GDPR-compliant.
Even if you are not fully compliant on May 25th, it is important to show that efforts have been made to comply.
“You do not want to have a data breach in 2019 and for Ireland’s Data Protection Commissioner (DPC) to discover you have done nothing.” says Harris.
The DPC could fine organisations up to €20m or 4 per cent of total global turnover but if a company is compliant under current law its approach to data protection should largely be valid under GDPR.