Companies in Ireland will have to pay more attention to their data protection procedures in future as a new EU regulation to be formally approved by the EU in the coming weeks threatens companies with huge fines in the event of a data breach.  This was the message at the annual Data Protection Day briefing hosted by Anne-Marie Bohan at Matheson's Dublin offices today, 28 January 2016.

The General Data Protection Regulation, aimed at developing a more coherent and uniform data protection regime across the EU Member States, will require companies to ensure privacy is in-built into systems and products, and to report privacy breaches to authorities, or face sanctions of as much as 4% of global revenues, which supporters believe will motivate organisations to reassess their data protection policies.

Anne-Marie noted, “Misuse of customer data or a data breach will be an expensive mistake for companies in Ireland and Europe, and given the recent findings of the Irish Computer Society that more than half of companies surveyed had experienced one or more data breaches in the last 12 months, this is a serious issue for Irish business.”

“The considerable risk associated with noncompliance means that Irish businesses - both indigenous and international companies operating in Ireland - need to have a better understanding of where the personal data in their organisations is stored, who has access to it, what it is used for, and how it is secured. Ultimate responsibility for data protection compliance now rests firmly at management and board level,” she added.

The new regulation will also seek to address the perceived lack of this specialist capability within businesses by requiring larger companies to appoint a Data Protection Officer. The role is well defined with a requirement for the position to report to the top level of management with independence protections in place. Anne-Marie was of the view that smaller organisations will need to consider engaging external data protection advisors to assist with compliance.

While the new regulation is expected to come in effect in early 2018, Anne-Marie emphasised that the “The new EU regulation is based on the principle of ‘Privacy by design and by default’, in that data protection safeguards must be built into products and services from the outset and apply by default. Companies that store and process data should now start the review and planning needed to ensure that data protection procedures are pro-actively built into every element of their product or service offerings.”

Ireland will have an important oversight and enforcement role, as a European hub for social media, financial services and technology companies.  Ireland's Data Protection Commissioner, Helen Dixon, the guest speaker at the Matheson briefing, emphasised the increase in skilled resources in the office of the Irish Data Protection Commissioner - lawyers, technical compliance specialists, security technology auditors among others - and describes the ongoing specialist recruitment to the Office. She outlined that "The increase in skilled resources at the office of the Irish Data Protection Commissioner is already allowing us to respond faster to identified areas of risk to the data protection rights of individuals." She added that "combined with the increased enforcement focus of the forthcoming General Data Protection Regulation, both public and private organisations would be well advised to renew their focus now on their obligations under the law to protect the individual's right to data privacy".

About the General Data Protection Regulation

On 15th December 2015, negotiations between the EU Commission, the EU Parliament and the EU Council concluded with agreement being reached on text for the new General Data Protection Regulation.  It concludes nearly four years of negotiation and when enacted it will replace the 20 year old Data Protection Directive (95/46/EC).

This new regulation aims to strengthen fundamental data protection rights across the EU as well as remove barriers for businesses and allow them to make the most of the opportunities of the European Digital Single Market.  As an EU regulation it will be directly applicable in all EU Member States without the need for national legislation. The draft agreements were passed by the Committee on Civil Liberties, Justice and Home Affairs on Thursday 17 December 2015.  The final text is expected to be approved by the EU in the coming weeks and it is expected to come into force in early 2018.