Political parties, charities and sporting organisations are scrambling to become compliant with the most comprehensive data protection legislation ever introduced by the EU, data security experts have warned.
The General Data Protection Regulation (GDPR) becomes law in May and is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy.
It not only applies to organisations within the EU, but also to firms that do business inside member states.
Under the new laws:
- Companies processing high volumes of personal data must have a data protection officer;
- Any organisation or person who processes personal data on behalf of the data controller can be held directly liable for the security of personal data;
- Impact assessments audits must take place where privacy risks are high;
- A data controller must report a data breach within 72 hours unless there is a “low risk” to the individual’s rights.
The GDPR also makes it considerably easier for individuals to bring private claims against data controllers when their data privacy has been infringed.
If organisations fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
Last year, there were 2,301 data breaches reported to the Office of the Data Protection Commissioner in Ireland.
However, there remains a misconception that the new laws merely apply to businesses, according to Pat Larkin, chief executive of IT security firm Ward Solutions.
Mr Larkin said charities and local clubs must be as compliant with the GDPR as businesses.
“My concern is that the level of awareness isn’t there. Our experience from our information events is that there are still a lot of businesses who don’t realise exactly what it entails — up to a third of businesses at our events haven’t grasped what lies ahead.
“If businesses are unaware and unprepared at this point, can you imagine what it is like for charities and sporting clubs? The challenge for sports clubs and charities is how to become compliant. They are going to need assistance, or someone is going to have to learn about it within.”
Mr Larkin said measures taken for granted among organisations, including storing email addresses and phone numbers to send out emails and texts, would now have to be looked at in a fundamentally different way.
“Any loose practice around unsolicited emails, sharing emails and texts will go out the window,” he said.
Political parties have remained largely quiet on their plans to become compliant. Only Fianna Fáil and the Social Democrats responded to the Irish Examiner when asked if they had taken steps to comply with the GDPR.
Fine Gael, Sinn Féin, Labour, Green Party, and Solidarity-People Before Profit Alliance failed to respond to queries.
Data and technology firm Vconnecta, whose political data technology has been used in political campaigns in Ireland, the UK and the USA, said political parties face a challenge before May 2018.
“At the moment, political parties and politicians probably hold data about voters in a variety of places including paper format, desktop, email servers and so on,” said Vconnecta’s head of growth, Brendan Tobin.
“With the arrival of GDPR, politicians are going to have to consider things like anonymisation of existing data, gaining formal consent from voters to hold their data, and using voter privacy software to manage all this.
“For voters, this is a very welcome shift in the legislative framework as it clearly protects their data from either intentional or unintentional misuse.”
The GDPR was ratified following four years of negotiation, replacing the existing directive on data protection.
Unlike an EU directive, which can be implemented over a certain time, the regulation is made law once it begins in May 2018, meaning penalties can be imposed from day one.
Organisations that fail to comply face same penalties as businesses