Steven Roberts is head of marketing at Griffith College. He is a certified data protection officer and vice-chair of the ACOI’s data protection and information security working group and has recently published a book, Data Protection for Marketers: A Practical Guide. In this guest blog, he provides guidelines for Irish businesses who are navigating the GDPR guidelines.
Few topics in recent years have exercised companies as much as data protection. Since the introduction of the General Data Protection Regulation (GDPR) on 25th May 2018, countless media articles have been generated. Many have focused on the potential for eye-watering fines of up to EUR20 million or 4% of global turnover. In the past twelve months, Ireland’s Data Protection Commission (DPC) has issued its first significant penalties under the Regulation to a range of organisations including the HSE, Tusla, UCD and Twitter. As the Regulation marks its third anniversary, it is timely to consider some of the ongoing challenges businesses face. We will also look at some of the steps firms can take to develop a strong compliance culture around data privacy.
Lack of clarity regarding fines
Despite the coverage received, there is still very little clarity for businesses on the likely size of fines if they incur a breach of GDPR. This makes it challenging for boards and executive teams to accurately assess the potential risk to their companies. Whilst Twitter received the largest DPC fine to date, at EUR450,000, other European countries have imposed far larger penalties. The French supervisory authority issued Google with a EUR50 million fine, while British Airways was penalized £20 million by the UK’s Information Commissioner’s Office for a breach that affected more than 400,000 of its customers. It is likely to take a number of years before we see some level of harmonization and the emergence of a standard baseline for fines.
International data transfers
International data transfers continue to pose problems. In July 2020, the European Court of Justice ruled the EU-US Privacy Shield to be invalid. This was a key mechanism for companies to transfer personal data between the two jurisdictions. Whilst legislators seek a replacement option, firms have had to use alternative solutions. These include Standard Contractual Clauses (SCCs), which can provide GDPR compliance when included in a processing contract. However, SCCs are also undergoing a period of change.
In November 2020, the European Commission proposed a new set of draft contractual clauses. If approved, businesses will have 12 months to update their existing contracts. Furthermore, the European Data Protection Board (EDPB) has proposed additional supplementary measures that companies must undertake if they believe the country where data is being transferred to does not meet the standards required under GDPR. If adopted, this will place a significant burden on businesses, particularly small and medium enterprises who may not have the resources to undertake such an assessment or to implement the technological, contractual and organizational measures proposed by the EDPB.
On a more positive note, it appears the UK will receive an adequacy decision from the EU in the coming months, stating that it offers an essentially equivalent level of data protection as required under the Regulation. The Trade and Co-operation Agreement between Britain and the EU, signed last December, included a grace period of four months (extendable by a further two months) for adequacy to be achieved. Many firms had feared this process could take up to 18 months, creating a host of compliance issues as Britain would be deemed a ‘third country’ under GDPR once the grace period ended. The European Commission’s draft adequacy decision in February of this year indicates a strong likelihood that the process will be completed far quicker than originally predicted.
Building an effective compliance culture
Whilst we have only looked at a fraction of the data protection issues facing businesses, it is clear this is a fast moving area and one that requires constant monitoring. Firms can best prepare for these and other developments by implementing a strong compliance culture across the organization. Important steps include:
- Organizing regular and ongoing training for new and existing staff
- Undertaking data audits to ensure clarity on what data is being processed by the firm
- Putting in place clear policies and procedures across the organization and ensuring these are championed and supported by the board and senior management
- Identifying data champions across the organization, who can promote an effective culture at departmental and business unit level
- Operating in a clear and transparent manner as to how the business uses personal data
- Documenting all processing activity in order to tangibly demonstrate accountability.
Data protection must continue to remain a priority for Irish businesses during 2021 and in the years ahead. The Regulation is still at an early stage of adoption. The Data Protection Commission, in its draft Regulatory Strategy, has identified the need for greater clarity and consistency, noting that ambiguities still exist in how GDPR is interpreted across EU member states. It is to be hoped further progress will have been made on achieving this clarity and a more consistent EU-wide approach by the time the Regulation marks its fourth anniversary.