What is GDPR? Web security issues to move centre stage for Irish firms

What is GDPR? Web security issues to move centre stage for Irish firms

Published 5 months ago May 2nd, 2017

Website security issues are likely to dominate the agenda of Irish businesses for the rest of the year as more and more organisations across the State come to terms with the key question: What is GDPR?

The clock is ticking for those unfamiliar with GDPR. So, the shortest answer is that GDPR is legislation ushering in a new era of stringent cyber security in Europe. Essentially, if you are still puzzled about the question of What is GDPR?, it’s something that will hold organisations that process the data of European citizens more accountable than ever for security of that data.

The GDPR legislation, which comes into force on May 25, 2018, applies to all organisations and businesses that process the data of European citizens. These are not geo-specific laws. They apply even to those organisations that do not have a physical presence in Europe.

Irish organisations that process the data of European citizens have been sluggish in ensuring that they will be ready for the new era of data security that dawns in May 2018.

A mid-April report on research undertaken by Ireland’s largest information security provider, Ward Solutions, found more than 40 percent of Irish businesses and organisations without any detection or response plans for dealing with potential security breaches.

Non-compliance with GDPR carries the risk of a fine of up to 4 percent of annual global turnover (or €20m, whichever is larger), and liability for the compensation of anyone who has suffered either material or non-material damage as a result of GDPR non-compliance.

The research also revealed that 13 percent of 170 firms surveyed had no knowledge of where their customer information is stored, putting these organisations on a chaotic collision course with GDPR, which will come into effect on May 25, 2018.

Non-compliance with GDPR carries the risk of a fine of up to 4 percent of annual global turnover (or €20m, whichever is larger), and liability for the compensation of anyone who has suffered either material or non-material damage as a result of GDPR non-compliance.

Despite these eye-watering penalties, the Ward Solutions found a significant number of firms had either not engaged at all with the What is GDPR? question. More than a quarter of the organisations surveyed either had no awareness of GDPR, or had not begun preparing for it, while 20 percent of company directors were unaware of the penalties for GDPR non-compliance.

GDPR will hold organisations more accountable than ever for data security, while enshrining the ‘right to be forgotten’ and a number of other rights in relation to how companies store and handle personal data.

The legislation requires organisations to know where and how data is stored, while public authorities or businesses undertaking large-scale personal data processing must appoint a Data Protection Officer prior to the legislation coming into force on May 25, 2018.

GDPR also stipulates ‘Privacy by Design and by Default’ in new processes for business products and services, while strategies for accountable and timely detection of and response to data breaches are also required.

Nowhere is the scale of the challenge more evident than in the area of website cookies. Under GDPR, any online identifiers, even those that don’t directly identify individuals, can be considered personal data if there is potential for an individual to be singled out.

GDPR will require businesses and organisations to re-think consent with regard to identifiers such as cookies. Implied consent will not work. Under GDPR, consent must be made as easy to withdraw as to grant. Time-worn solutions such as options to block cookies if they do not consent will not comply. The GDPR position is that customers must always have clear and genuine choice. “By using this site, you accept cookies“ statements will not comply. And even if consent given is valid, there must be a way for people to change their minds.

In Ireland, organisations are being reminded that GDPR applies to any organisation that processes the data of EU citizens, regardless of whether that organisation has a physical presence within the EU.

The Ward Solutions research is the latest in a succession of GDPR warning shots for Irish organisations.

Lack of GDPR-readiness and unfamiliarity with the What is GDPR? question is not limited to Irish firms. Earlier this month, global information services group Experian, following a survey of 1,431 professionals in organisations throughout the UK, US, Australia, Brazil, France, Germany, Spain and Singapore, revealed that 48 percent of international companies surveyed were not prepared for the new legislation.