The legal profession has an uphill struggle in making Irish organisations aware of the implications of the General Data Protection Regulation (GDPR), according to Mark Adair a technology-focused partner in Mason, Hayes & Curran.
Mr Adair says that given the scope of the new laws and the proximity to their enforcement, he and his colleagues are quite concerned that Irish organisations are not better prepared.
“As we are just over 12 months away from the GDPR coming into force, we would have expected organisations to be there or thereabouts by now, but many are not,” he said.
“The bigger organisations that have large in-house legal firms and IT specialists are certainly further along than the SME sector, but it’s important to remember this legislation will not just target the large social media firms, the banks and multinationals, it is for everyone. Organised clients are getting help now.”
Companies must train staff, review and change client contracts, amend privacy statements on electronic communications and learn how to deal with data access requests, as well as addressing security processes before the rules kick in.
“The GDPR is in essence a privacy law with the aim of protecting people, which is something that tends to get lost when technology experts start to talk about the effects it will have on business,” he said.
“That’s the message that we are giving to clients, and it is interesting to see the lack of awareness that there is out there – some people are coming to us who are only now starting to investigate what GDPR will mean for their business, and there are others who know about GDPR but don’t know what steps they need to take in order to be compliant.”
He warns that GDPR will trigger a boom for some litigation lawyers.
Under the GDPR if a data subject believes their personal information has been handled in a non-compliant way their remedies range from lodging a complaint with the Office of the Data Protection Commissioner, to taking a case against the data processor in court and seeking compensation.
Each of those rights is exercisable and the individual is under no obligation to go through all the steps before taking legal proceedings. If an aggrieved client has the will and the means, they can take the organisation in question to court straight away, under the new rules.
According to Mr Adair, Irish businesses should not take the risk and emphasises that it is now time to start preparing hard for the new legislation, particularly for SME’s, many of whom are of the belief that the new law is something aimed solely at bigger firms.
Mark Adair will be among the speakers at INM’s Dublin DataSec2017 at the RDS on May 3. See www.independent.ie/datasec/ for further details.