GDPR and You

Today marks one year until the introduction of the EU’s substantial overhaul of data protection laws, the General Data Protection Regulation (GDPR) but only 14% of Irish SMEs have begun getting ready, according to a new study for the Data Protection Commissioner (DPC) conducted by Amárach Research.

The DPC today embarked on a significant information campaign to help businesses and organisations, particularly SMEs, in their preparations for the introduction of the GDPR. With the launch of a GDPR focused website (www.GDPRandYou.ie), the DPC is putting in place a critical resource and support system as organisations prepare to be GDPR-ready.

The new website will include guidance material to educate and guide organisations on what the GDPR will mean for them and how they can plan for its implementation. The DPC has produced a 12-step guide to getting ready, as well as a video and other downloadable materials, and will continue to add to this published guidance over the coming months. The DPC will also continue to undertake a significant number of speaking engagements and meetings with industry and sector representatives to build awareness of the new law.

Data Protection Commissioner, Helen Dixon said, “Data protection laws exist to ensure fair play for everyone in how their identity and personal data is used by big corporations, governments and all sorts of organisations and businesses. The GDPR is a game- changing overhaul of our current data protection laws. It will impact every type of company and organisation regardless of their size and require many of them to take significant action well before May 25th 2018.


“As of today, we have one year to go before the implementation of the GDPR and the DPC is here to assist companies and organisations understand the steps they need to take on their journey towards GDPR-readiness. Through our engagement with industry and organisations from all sectors, as well as our newwebsite which will be regularly updated with new guidance, our aim is to drive awareness of the new law by providing information and guidance that will assist organisations to be GDPR-compliant by May 2018.”
The survey found that just over a quarter of businesses (26%) did not know when they expect to begin their GDPR-implementation plan, with this number increasing to 39% for micro enterprises (1-9 employees). Despite a high level of awareness of GDPR (69%), 70% of respondents admitted to being unaware it will be effective from 25th May 2018. Medium enterprises (50-249 employees) and SMEs in Dublin were the most likely to be aware (49% and 42% respectively).


“It’s not a surprise that many companies, particularly SMEs, have not yet begun to get GDPR-ready or even considered what that might look like. Larger organisations, with greater resources, are likely to be more advanced in their preparations and are generally more cognisant of data protection requirements. Therefore, we are focused on helping SMEs who may feel that the GDPR doesn’t apply to them or that there is little to fear in ignoring it, when in fact this is far from the case.” said Helen Dixon.


With one year to go, the survey found that 67% of companies have yet to carry out an assessment of all the personal data they hold. Medium-size enterprises (39%) and SMEs in Dublin (40%) and Munster (37%) are more likely to have assessed this. 57% said they have still to assess why they hold personal data and 64% said they had not assessed how long they needed to keep this data.


“Twelve months is not a long time and nobody can afford to delay. The first step is to conduct an analysis to know what data you have, why you have it and what you do with it. The GDPR introduces substantial new accountability requirements for organisations processing personal data, including a need to document and inventory data processing operations. Once you know what you’re dealing with, only then can you begin to understand how the GDPR will impact you and your business and the changes you need to make to be GDPR-ready,” said Dixon.


In terms of the changes GDPR will bring, 83% of businesses were unable to name any changes for their organisation and three in five (59%) admitted to being unaware of the large-scale fines that could be imposed for non-compliance.


While 73% of those surveyed did not know whether they would be required to appoint a Data Protection Officer, this number rises to 90% among micro enterprises. Encouragingly, 51% of businesses already have a staff member in place who is responsible for overseeing compliance with data protection, with SMEs in Dublin (58%) and Munster (58%) the most likely to have someone in place.


“Organisations that are not compliant now will certainly not be in compliance with the new higher bar under GDPR but of course what’s going to change under GDPR are the greater consequences for non-compliance. We have produced our own guides including a 12-steps guide to getting ready, as well as video and other downloadable materials. We will continue to add to this published guidance over the next 12 months and beyond so people should regularly check our GDPR website at www.GDPRandYou.ie

“The message is that you need to start preparing for GDPR sooner rather than later. Successful implementation of the GDPR requires a level of collaboration and consultation between industry and the data protection authority and we are here to work with you and give you guidance,” said Dixon.

The survey was conducted with 500 businesses spread across Ireland, including a good distribution of micro-, small and medium enterprises and across a range of industry sectors. Interviewing fieldwork took place between 24th of April 2017 –10th of May 2017. The results of the survey are available for download here.