Irish businesses are not prepared for the implementation of new EU data protection laws in 19 months, according to a joint survey carried out by McCann Fitzgerald and professional services firm Mazars.
Only 16 per cent of Irish firms have mobilised a project to meet the compliance requirements of the EU General Data Protection Regulation (GDPR), while 82 per cent of organisations think meeting the obligations will be challenging or extremely challenging.
The GDPR provides for heavy penalties for companies that are in breach of the regulation and includes fines of up to 4 per cent of global turnover or €20 million (whichever is greater) in the case of a breach.
The greatest challenge under the GDPR, according to 43 per cent of firms, will be creating and maintaining an inventory of personal data.
A majority of firms (55 per cent) also believe implementing the more explicit ‘right to be forgotten’ will be very or extremely challenging.
According to the survey, 30 per cent of firms do not have a Data Protection Officer (DPO) as required under the GDPR. Of those who do, 29 per cent believe the role isn’t senior and independent enough to meet regulations.
In addition, 44 per cent of respondents expect that complying with the obligation to notify the Data Protection Commissioner of a security breach within 72 hours will be very or extremely challenging.
On a more positive note, 78 per cent of respondents will have executive or CEO level sponsorship of compliance programmes to meet the requirements.
Paul Lavery, partner and head of technology & innovation at McCann FitzGerald, said: “In a globalised world, data is the new currency of business. Managing that data in compliance with the GDPR will pose significant and wide-ranging challenges for Irish businesses but could also create interesting opportunities.
“There are some key steps that organisations should take to prepare, not least ensuring senior level awareness and buy-in to preparing for its application.”
Liam McKenna, partner in consulting services at Mazars, added: “If they haven’t already started, organisations should begin now to review their internal procedures and controls in light of the impending changes under the GDPR, and consider what amendments to such procedures will be required, and what other measures should be taken, to ensure that they are GDPR ready. The penalties could be severe for those who do not comply.”