GDPR – Key Learnings for Irish Businesses
The past few weeks have witnessed significant data protection activity. Earlier this month, Tusla became the first organisation to be fined by the Data Protection Commission (DPC) under the General Data Protection Regulation (GDPR), for a total of €75,000. The Commission has notified that a second fine for the agency is pending. EasyJet also made news, when a cyber-attack resulted in a breach affecting 9 million customers, including emails, credit and debit card details. It is clear that data privacy must remain a priority for companies across all sectors. As we mark the second anniversary of the GDPR on 25th May, it is timely to assess some of the key learnings for Irish businesses over the past twenty-four months. In this article, we’ll look at five aspects that firms should consider.
Fines
A key reason the GDPR attracted high levels of media coverage was the potential for large fines. The Regulation provided for penalties of up to €20 million or 4% of annual global turnover. Following a slow start, we have seen data protection authorities across Europe begin to take action. Last summer, Britain’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183 million (€210 million) for a data breach affecting half a million of its customers. Earlier this year, Google was issued with a €7 million fine by the Swedish authority, for not complying with the right-to-be-forgotten.
Closer to home, the Irish Data Protection Commission (DPC) has faced criticism for a perceived slowness in issuing penalties, given the number of big technology companies based here. It will be interesting to watch the Commission’s next steps, following its decision in relation to Tusla. For the moment, there remains a lack of clarity as to exactly how fines are calculated and what levels are considered appropriate for particular breaches and offences. This will take time to stabilise.
Complex Global Privacy Landscape
The introduction of GDPR sparked similar legislation in countries around the world. In the USA, the California Consumer Privacy Act came into effect this year, whilst lobbying is ongoing for a law at federal level. In the interim, many US states have introduced their own privacy bills. This makes for an increasingly complex privacy landscape. For Irish companies considering establishing a footprint in the US, it requires an understanding of data protection laws at a national, regional and local level, alongside ongoing adherence to GDPR.
EU legislators are also looking to progress the ePrivacy Regulation. Originally intended for introduction at the same time as GDPR, it has been held up by lobbying and disagreements between member states. One of the aspects it seeks to address is the use of website cookies. In the interim, companies operating across Europe are faced with significant local variances in how ePrivacy laws are interpreted. The DPC released its own guidance in early April. Companies should familiarise themselves with this document urgently, as the six-month grace period leaves relatively little time to ensure compliance.
The challenges and potential of new technologies
The Government is due to launch a national artificial intelligence (AI) strategy later this year. Alongside the recent cyber security strategy, it is a key component in the EU’s goal of achieving a digital single market. However, AI and machine learning pose specific issues regarding transparency. This is of particular concern when data is used for the purposes of profiling. It is difficult, even post-fact using auditing technologies, to ascertain exactly what processing occurred to achieve these decisions.
As we enter a new decade, AI promises significant productivity advantages for Irish businesses. This must be balanced with individuals’ rights to privacy and the protection of their personal data.
Increased awareness of data privacy rights
Consumers are now much more aware of their data protection and privacy rights This is reflected in the DPC’s most recent annual report. A total of 7,215 complaints were received last year, representing a 75% increase on 2018 figures. Data breach reporting, meanwhile, saw a 71% increase for the same period. For Irish businesses, it is vital to develop a culture of trust and transparency around the use of customers’ personal data.
Embedding principles such as data protection by design and default into processes and procedures will help ensure privacy concerns are considered from the outset with any new projects. Training and development is also key. We know that human error is one of the top causes of data breaches. Data protection cannot be considered the sole preserve of the legal and compliance departments. It is the responsibility of every member of staff. Ongoing training helps keep this uppermost in the minds of all levels of the organisation.
The importance of accountability
Accountability is one of the core principles underpinning the GDPR. Companies must be able to demonstrate compliance in a tangible way. This is achieved in various ways. For example, clearly documented policies, widely understood across the organisation, which are regularly reviewed and updated. Many companies are still working towards full compliance. Businesses that can show they are taking a structured and iterative approach to developing a compliant culture are likely to be dealt with more favourably by the DPC in the event of an audit or investigation.
Conclusion
Data protection continues to be a high priority area for businesses, driven in many instances by fear of the financial and reputational impact of non-compliance. This is likely to remain the case over the coming decade as consumers become increasingly aware of their rights. Data is a fundamental driver of the digital economy. As companies introduce more complex technologies, such as AI and blockchain, they will face demands from their customers to ensure their data is being dealt with in a fair and responsible manner. Those with a multinational presence face the added challenge of complying with differing national, regional and local laws globally. Those businesses that develop a culture of trust and transparency will be well placed as Irish industry seeks to return to growth following the lockdown.
Steven Roberts is Head of Marketing for Griffith College and a certified data protection officer. He is the author of the forthcoming book ‘Data Protection for Marketers: A Practical Guide’, which is due for publication by Orpen Press in 2021.