The Irish government and data protection commissioner have pledged to step up their education of the country's organizations regarding the implications of the incoming EU General Data Protection Regulation (GDPR), amid fears over low awareness levels.
"We've engaged with a lot of companies that hold a lot of sensitive data, but they don’t even know what the GDPR is." — Ronan Murphy
Last week, Irish tech scene representative Ronan Murphy said the government had not done enough to inform businesses and other organizations about the impact of the GDPR, describing the lack of general awareness as "mind-blowing."
"I know there's a fundamental lack of understanding by businesses as to what the GDPR is, and how important the GDPR is, and also the scope of the GDPR in terms of the amount of work that has to be conducted by companies," Murphy, the chairman of the IT@Cork trade body and CEO of cybersecurity firm Smarttech, told The Privacy Advisor. "We've engaged with a lot of companies that hold a lot of sensitive data, but they don’t even know what the GDPR is."
Murphy claimed the "vast majority" of Irish academic institutions had not even begun the process of understanding the classification of their data, let alone conducting privacy assessments. He also said he had this month spoken to a hotelier who controls the data of thousands of visitors over the past two decades, but who thought his small hotel chain must "surely" not fall under the regulation.
"The problem here is that it's such a broad scope that the timeline of next May is approaching very quickly," he said. "This isn’t something that can be done in a few weeks. If you hold a lot of data, this is a much bigger project than people are anticipating."
According to Ronan Murphy, the government needs to produce a "bigger push on the urgency surrounding this" – and according to Dara Murphy, Ireland's data protection minister, that push is imminent.
"The first set of GDPR guidelines was published by the Article 29 Working Group just before Christmas with the result that awareness-raising activities, including that undertaken by the Irish [data protection authority], will now begin to enter a new more intense phase," the minister told The Privacy Advisor. "Sixteen months out and Ireland, like all member states, has plenty of work left to do to get the message about GDPR out to SMEs, however as a government we have been pro-active from an early stage and I'm confident we're getting the message out there."
Dara Murphy added that he would be using the opportunity provided by the annual Data Protection Day this coming January 28 to "reiterate my calls for organizations to get GDPR-ready."
How serious is the problem, though? According to Kate Colleary, a solicitor and the co-founder of data protection consultancy Frontier Privacy, constant media coverage of the GDPR in Ireland means businesses do realize that the regulation is coming and that it does apply to them. However, many don't realize how much work will be involved.
"They know it's coming down the track. They know it's going to do something and change the landscape in terms of their data processes, but perhaps they think they’ll deal with it in May 2018," Colleary said. "They're not understanding that it's not just a matter of drafting procedures and protocols and putting them in a folder. They have to be live documents and staff have to be trained on them. They do need to start now."
Colleary added that her consultancy has this month started getting lots of calls from mid-sized companies asking for its GDPR-preparation services. However, she also warned that many smaller businesses probably won't think about it until there have been a few high-profile fines. "We will see people start to panic when people in the same sector are being fined at high levels," she said. "Not social media companies [which often base their international headquarters in Ireland] – the first of the small-to-medium-sized companies that are fined will cause a huge impact."
The solicitor added that she would on Tuesday be meeting with Helen Dixon, Ireland's data protection commissioner (DPC), to discuss "getting the word out."
"Having spoken at a great number of events in Ireland on the GDPR already in 2017, we are agreed with the legal practitioners we have heard commentating on the GDPR to the effect that driving awareness will be a combined effort of the regulator, the practitioners, the industry and professional representative bodies, and government," a spokesperson for Dixon's office said via email.
The DPC has "pursued all relevant opportunities to contribute to blogs or be interviewed by a variety of media sources in order to push awareness of the GDPR out to as broad an audience as possible," and has also specifically targeted awareness in the Irish public sector "given the sometimes longer lead-in times to readiness in that sector," the spokesperson said.
However, the spokesperson also said the DPC has "identified a need … to launch a publicity campaign using all forms of media (including radio, social media and print media) that will target the broadest possible base of the Irish public and business to ensure that there is awareness that the GDPR is not a sectoral law that applies to banks or insurance companies or big internet companies only … The media in Ireland has been particularly engaged around GDPR but we do believe there is an element of those listening not fully grasping that the law applies to them rather than some specific industry sector."
DPC information campaigns will roll out in February and March, to make people aware of their data access rights and to push the message that the DPC will from May 2018 have much heftier fining powers than it presently has.
The regulator released a 12-point set of GDPR preparation guidelines for the country's organizations at the end of November last year. The spokesperson noted the DPC was preparing updated guidance that takes into account the "more detailed guidance notes Article 29 has now published on data protection officers, lead supervisory authority and the new right to portability."
If you want to comment on this post, you need to login.