GDPR Compliance Looms Large

22 March 2018

In its Salary Survey 2018 report, recruitment consultancy Abrivia is cheery on the prospects for legal clients and their highly-paid staff. “The introduction of the General Data Protection Regulation in May 2018 is a huge opportunity for legal firms to provide consultancy services to an ever-increasing client base, as any firm which deals with personal data will be affected by GDPR,” the report states. “GDPR offers legal firms a huge opportunity to expand their client base.”

None more so perhaps than Mason Hayes & Curran, the top-tier commercial law firm based in Dublin’s Silicon Alley. MHC has carved out a pre-eminent position in Dublin’s law scene in the areas of Privacy and Data Security, which has been a growth area in Ireland for years due to the influx of American companies that operate online across Europe from their bases in Ireland.

The European Union-mandated GDPR represents a step change in the regulations and laws surrounding personal data. In its most recent ‘Getting Ready for GDPR’ advisory, the Mason Hayes briefing on the subject extends to 42 pages of text. The briefing paper lists 22 Mason Hayes partners, associates and consultants who have expertise in this area, and peer firms have been ramping up their expertise too.

Also expanding is the Irish regulator, the Data Protection Commissioner. Its budget for 2018 has been increased by half to €11.7m to fund the recruitment of 40 additional staff, bringing the total headcount to around 130. In 2014, €2m was sufficient to fund DPC operations, and the expansion reflects the DPC’s role in regulating the personal data processing activities in Europe of most of the world’s top internet technology multinationals.

All new regulations are a cost and administrative burden for business. The problem with the GDPR is that nobody can be sure what exactly the Regulation means in practice. Even the DPC anticipates an “unprecedented increase in its workload”, due to the “the legal complexity of issues dealt with”. If the regulator is befuddled by GDPR, what chance for the average SME?

For the bureaucrats who dreamt up GDPR, its main target is large institutions and organisations that process the personal data of hundreds of thousands or millions of people. However, there are no exemptions from GDPR based on size. If a business or organisation processes any amount of personal data, it comes within the GDPR ambit.

Under the GDPR, there has to be a lawful basis for processing any personal data. These reasons span consent, contract, legitimate interest and legal obligation, and if asked the data processor has to know which one it is. In its advice to SMEs, the Data Protection Commissioner recommends that small firms should maintain a ‘data protection risk register’, so as to demonstrate compliance in the event of a regulatory investigation or audit.

Sanctions for non-compliance with the GDPR are meaningful: up to the greater of 4% of annual revenue or €20m. It’s this kind of stick that has business worried, especially those firms whose trade is mainly conducted online. For the vast majority of small firms, the GDPR will never be an issue – unless something goes wrong or the DPC swings by for an audit.

One of Mason Hayes & Curran’s data privacy experts is partner Oisin Tobin, who works out of the firm’s office in San Francisco. In the following interview, Tobin shares his insights into the GDPR impact on business.

Legal rules surrounding Privacy and Data Security have been placed for decades. So what’s changing with the GDPR?

OISIN TOBIN: The current data privacy rules were adopted in Europe in 1995, and Ireland initially adopted legislation dealing with data security and data policy issues in 1988. So these issues aren’t new. What is changing is that from a business perspective data has become more important for most companies and is working its way up the priority list. Secondly, the rules surrounding personal data are becoming more complex, and penalties for breaking those rules will be a lot heavier.

In addition, the personal data rules in the GDPR are very complex. Under the current Data Protection Act, the rules we have at the moment are principle based. There are general principles around data security, processing data fairly and so forth. The GDPR keeps those general principles but it also adds very technical and complex requirements, some of which are open to interpretation. I think the GDPR is going to be challenging for a lot of businesses, particularly organisations that don’t have the resources to devote full-time personnel to the issue.

This article was originally published in the Business Plus magazine on Wednesday, 7 March 2018. Read the full interview here

The content of this article is provided for information purposes only and does not constitute legal or other advice.