Thursday, November 23, 2017

New data regulations affect every business and organisation

Elaine Dempsey, BofI Kilcullen; Roisin Crotty, BofI; Niall Rooney, GDPR consultant; Alison Redmond, Kildare Chamber; and Joe Madigan, BofI.
New regulations on data protection have the potential to close the doors of some businesses who don't become compliant with them, writes Brian Byrne.

This was a fundamental warning at a breakfast briefing on the General Data Protection Regulations, due to come into force on 25 May 2018. The event in Keadeen Hotel was organised by County Kildare Chamber, and hosted by Bank of Ireland.

The GDPR regime will replace all current EU data protection regulations and includes 80 new requirements for both businesses and non-profit organisations who process personal data.

Joe Madigan, Head of Customer Data & Retail Analysis with BofI noted that new penalties under GDPR could range up to €10m for a first time breach, and fines based on a percentage of turnover were available for continuing non-compliance. He suggested that up to 18pc of SMEs fined could become insolvent as a result.

He outlined how BofI had worked on the issue internally since GDPR came into effect last year, and emphasised that organisations which worked on what he called the 'gold' level of preparation would not just be compliant, but would gain competitive advantage.

He provided guidelines of approach which apply to every affected business or organisation regardless of their size. In essence the headings were to establish the current position in relation to data protection, appoint the mandatory Data Protection Officer, create a plan, and formulate a 'defensible position' against any potential challenge.

The complexities of today's data-rich environment are illustrated by the fact that all the devices we use now collect data all the time. These range from smartphones to sophisticated traffic-tracking equipment and much in between.

"We're all data controllers," Niall Rooney of FP Logue Solicitors told the attendance. "Processing involves almost everything you can do with personal data — whether it is collecting the registration numbers of vehicles in a car park, the use of facial recognition software, a taxi that uses a camera to monitor passenger behaviour, business that compile customer lists, a book club that uses a data list to issue notices to members. It's an extremely broad thing."

A key element of the new regulation is that every individual will have the right to be provided with all data held by any organisation, without having to pay any fee and regardless of the motive for the request. Niall Rooney said large organisations like BofI and Tesco, for instance, will have all that covered simply by providing a button on their website, which will send the information. "But for many SMEs this will be difficult. And in my view there is going to be a huge increase in people looking for their information."

The new regime will give much more extensive powers to the Data Commissioner, including making companies cease data processing if not compliant. "Most companies, if told to cease processing even for a short period, would have to close their doors," Niall Rooney noted.

Any data held by a business or organisation must be shown to have been given permission for its retention by the person concerned, and that permission may be withdrawn at any time under the new regulation.

Alan Shine of County Kildare Chamber outlined how his organisation — which has 280 members, employing some 47,000 people — is going about its GDPR preparation. "We're starting from scratch, stripping out everyone from our lists, to the point of making sure that everyone on our magazine mailing list, for instance, is a member who has given us permission to be on the list."

County Kildare Chamber has appointed Alison Redmond as its Data Protection Officer. She is currently on a course at DCU on the matter, and Alan Shine said she will become the 'go-to' person in the organisation for members seeking advice. "We will be the first business organisation in the country to appoint a DPO. This concerns every single business, and every not-for-profit charity."

He noted also that apart from financial penalties, there would be a 'huge' reputational risk for organisations that are found to be non-compliant.