Who Will the Work Fall on as Irish Firms Unprepared for Changes to Data Protection Laws?

28 April 2017

Experts have warned that Irish organisations aren't prepared for tough new data-protection laws which come into effect next year and much of the preparatory work will fall on lawyers.

The legal profession has an uphill struggle in making Irish organisations aware of the implications of the General Data Protection Regulation (GDPR), according to Mark Adair, a technology-focused partner in Mason Hayes & Curran.

Mr Adair says that given the scope of the new laws and the proximity to their enforcement, he and his colleagues are quite concerned that Irish organisations are not better prepared.

"As we are just over 12 months away from the GDPR coming into force, we would have expected organisations to be there or thereabouts by now, but many are not," he said.

"The bigger organisations that have large in-house legal firms and IT specialists are certainly further along than the SME sector, but it's important to remember this legislation will not just target the large social media firms, the banks and multinationals, it is for everyone. Organised clients are getting help now."

Companies must train staff, review and change client contracts, amend privacy statements on electronic communications and learn how to deal with data access requests, as well as addressing security processes before the rules kick in.

Mr Adair says that there is a fundamental misunderstanding in many organisations, which believe that the new regulation is purely a matter for IT security.

"The GDPR is in essence a privacy law with the aim of protecting people, which is something that tends to get lost when technology experts start to talk about the effects it will have on business," he said.

"That's the message that we are giving to clients, and it is interesting to see the lack of awareness that there is out there - some people are coming to us who are only now starting to investigate what GDPR will mean for their business, and there are others who know about GDPR but don't know what steps they need to take in order to be compliant."

He warns that GDPR will trigger a boom for some litigation lawyers.

Under the GDPR if a data subject believes their personal information has been handled in a non-compliant way their remedies range from lodging a complaint with the Office of the Data Protection Commissioner, to taking a case against the data processor in court and seeking compensation.

Each of those rights is exercisable and the individual is under no obligation to go through all the steps before taking legal proceedings. If an aggrieved client has the will and the means, they can take the organisation in question to court straight away, under the new rules.

According to Mr Adair, Irish businesses should not take the risk and emphasises that it is now time to start preparing hard for the new legislation, particularly for SME's, many of whom are of the belief that the new law is something aimed solely at bigger firms.

The DataSec 2017 conference takes place on 3rd of May in the RDS in Dublin.

The event will provide expert speakers, information and insight to help your business comply with GDPR and get the most out of the new legislation. Click here to book your place now.

This article was originally published in the Irish Independant on Thursday, 27 April 2017.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

If you would like to discuss any of the issues raised in this article, please contact Mark Adair.

  • LinkedIn