The following article by Ruth Wildgust appeared in the Sunday Business Post’s special 2 page report on GDPR.  Please see below for the full article.

Oct 8, 2017

Companies, public bodies and other organisations across Ireland are preparing for the implementation of the General Data Protection Regulation next May

With the May 25 deadline for the implementation of the General Data Protection Regulation (GDPR) less than eight months away, the Office of the Data Protection Commissioner (DPC) is urging businesses and organisations to act now to ensure that they will be in compliance with the regulation when it comes into effect.

“At DPC Ireland we are very aware from our ongoing engagement with organisations across all sectors, public and private, that getting ready for the GDPR is a significant challenge and that, in some sectors, the realisation that data protection law is changing significantly has yet to fully hit home,” said Irish data protection commissioner Helen Dixon.

“Encouragingly, however, there are growing signs of GDPR readiness programmes being mobilised in organisations and businesses of all sizes,” said Dixon.

“DPC Ireland is working constructively with industry bodies and representative associations to build awareness of the GDPR with a special emphasis on small and medium-sized enterprises and organisations.

Recent examples include the launch of Retail Excellence Ireland’s GDPR guide and the Charities Regulator’s new guide on fundraising, which includes a GDPR focus,” she said.

“We are also continuing to build the capacity of DPC Ireland to effectively implement the new powers and duties we will acquire under the GDPR. For example, work is progressing well on developing our new website, which will include an online facility to assist organisations in notifying the DPC of data breaches.”

Companies, public bodies and other organisations across Ireland are assessing their readiness for the implementation of GDPR to ensure that data privacy is built into their systems and processes.

“Most of our clients are under way with their GDPR assessments to conduct a gap analysis to understand where exactly they are in terms of data protection compliance and what they need to do in terms of getting ready for GDPR,” said David Collins, director in management consulting at KPMG.

“Companies have the opportunity to realise a competitive advantage by ensuring that their customers can trust them and the way that they manage their data,” said Collins.

“It’s also important to recognise that by having a greater understanding of the data that you hold, there is an opportunity to realise savings in terms of data storage. If you no longer need data or you realise that you have unnecessary copies of data, there is an opportunity to reduce those costs.”

The implementation of GDPR also provides an opportunity for organisations to review their existing policies and practices and raise awareness at all levels in the organisation, according to Evelyn Cregan, chief executive of the Association of Compliance Officers in Ireland (ACOI).

“If you haven’t started, start now. Identify the data you have, understand why you need it, what you do with it, and where you hold it,” said Cregan.

“Make sure your staff are upskilled to meet the new challenges. Becoming a certified data protection officer (CPDO) with ACOI meets those needs. Consider the rights of the data subjects and create the right culture in the organisation’s approach to managing data.”

Cregan said breaches of compliance regulation could result in regulatory censure, the reputational damage of being cited as being non-compliant, and losing customer trust. Ultimately there could be fines of up to €20 million, or four per cent of worldwide turnover.

DPC Ireland’s consultation and guidance activities are contributing to organisations’ compliance readiness by helping them to better understand their GDPR obligations.

“We have launched a GDPR-specific microsite – GDPRandYOU.ie – which is a central repository for all our key GDPR-related guidance. Representatives from the DPC undertake speaking engagements on a weekly basis, as we engage with sectoral and representative organisations to spread the word about GDPR,” said Dixon.

“We are advising organisations to start their preparations now, if they haven’t already. Our GDPRandYOU guide, available on our website, offers a useful 12-step initiation for those who have not yet begun to prepare,” she said.

“Further guidance will be published in the coming months, including guidance on key provisions of the GDPR such as consent, profiling, transparency and international data transfers, which we are preparing in cooperation with our other EU data protection authority colleagues.”

To inform the preparation of this guidance, DPC Ireland is currently holding a public consultation on the topics of transparency and international data transfers. The closing date for submissions is Friday, October 13.