Irish firms aren't prepared for changes to European Data Protection law, according to survey by Mazars and McCann FitzGerald

The EU’s new data protection laws will come into force in just over 19 months but many Irish firms have not begun preparing for the change, a joint survey carried out by professional services firm Mazars and law firm McCann FitzGerald suggests.

  • 82% think that meeting the compliance requirements of the GDPR will be challenging to extremely challenging;
  • Only 16% have already mobilised a project to meet the compliance requirements;
  • Once it comes into force in May 2018, failures to comply could result in fines of up to 4% of global turnover or €20m.
Download the survey results here

The survey explored the readiness of Irish business for the implementation of General Data Protection Regulation (GDPR) in May 2018, as well as gauging the estimated difficulty for businesses of complying with the new requirements.

Pictured (L-R): Adam Finlay, Partner, McCann FitzGerald, Jan Matto, Partner, Mazars Netherlands, Liam McKenna, Partner Mazars Ireland and Paul Lavery, Partner, McCann FitzGerald. 

The GDPR provides for heavy penalties for companies that are in breach of the regulation and includes fines of up to 4% of global turnover or €20 million (whichever is greater) in the case of a breach.

According to the survey, many businesses have not yet addressed some of the key requirements of the GDPR.  While 82% of organisations think that meeting the challenges of GDPR will be challenging to extremely challenging, only 16% of organisations have actually mobilised a project to meet those compliance requirements. 43% envisage that creating and maintaining an inventory of personal data will be the most challenging requirement to address.

The GDPR provides for a more explicit ‘right to be forgotten’ than currently exists under European data protection law. 55% expect implementing the‘right to be forgotten’ will be very or extremely challenging.

Under the GDPR there will be an obligation on certain categories of data controllers and data processers to appoint a Data Protection Officer (DPO) in order to monitor compliance with the GDPR. According to the survey, 30% of organisations do not have a Data Protection Officer (“DPO”), a requirement under the new regulation. Of those organisations that have a DPO, 29% believe that the role isn’t sufficiently senior and independent to meet the GDPR requirements.

In addition, 44% expect that complying with the obligation to notify the Data Protection Commissioner of a security breach within 72 hours will be very or extremely challenging. On a more positive note, 78% of organisations surveyed will have executive or CEO level sponsorship of compliance programmes to meet the requirements.

Commenting on the research, Paul Lavery, Partner and Head of Technology & Innovation, McCann FitzGerald, said: “In a globalised world, data is the new currency of business.  Managing that data in compliance with the GDPR will pose significant and wide-ranging challenges for Irish businesses but could also create interesting opportunities.  There are some key steps that organisations should take to prepare, not least ensuring senior level awareness and buy-in to preparing for its application.”

Liam McKenna Partner - Consulting Services, Mazars, added: “Our message is simple.  If they haven’t already started, organisations should begin now to review their internal procedures and controls in light of the impending changes under the GDPR, and consider what amendments to such procedures will be required, and what other measures should be taken, to ensure that they are GDPR ready. The penalties could be severe for those who do not comply.”