It’s not too early to start preparing for data protection changes

New data protection regulations that put additional responsibilities on companies to protect information may not be implemented in Ireland for another two years, but enterprises should begin to prepare now.

That's the view of Adaptive Ireland's managing director Brendan Cannon. The company is a specialist in metadata management, and views the road to the new data regulations as a long-haul journey.

“Change is coming and we need to prepare,’” he said. “Data is the lifeblood of every modern organisation.”

There has been a view for some time that data regulation in the EU could do with some extra muscle.

A series of landmark events, from the uncovering of the Prism surveillance scheme to the Max Schrems case against Facebook that eventually struck down the Safe Harbour agreement between the EU and the US, has focused consumers' minds on data privacy and what the rights and responsibilities are under the current legislation.

Government requests for information from companies such as Google, Facebook, Twitter and other social networking firms are a commonplace occurrence. At the same time, consumers are handing over an increasing amount of data to companies on a daily basis. With the expansion of the Internet of Things, that level of data is only going to grow.

Data protection authorities from around the EU have been working on the new regulations for some time that will govern how data is managed in member states for the past few years.

Agreed in December 2015, the regulations were published in the EU Official Journal on May 5th, meaning the clock has now begun ticking to their implementation.

It’s well overdue. The original directive is now 21 years old, and in the intervening period, there has been huge advances in technology, along with the development of a more cross-border market that has caused difficulties for companies dealing with fragmented legislation throughout the region.

The new regulations will address this evolution of technology and the uses of data. Some areas of the legislation will be simplified, experts said. But more significant is the inclusion of what has been described as “meaningful and dissuasive” penalties for those who fail to meet their obligations.

"Everyone processing personal data is subject to it," said Daragh O'Brien, speaking to attendees at an Adaptive Ireland information session. "Everyone from your corner shop to your multinational data management conglomerate."

Under the new laws companies face stiffer penalties for data breaches, with a €20 million fine or 4 per cent of turnover on the line for those breaches that affect the fundamental data protection rights.

“Most organisations are not complying with everything they need to today because the authority hasn’t had meaningful and dissuasive penalties,” said Mr O’Brien.

Mr Cannon explained there was more at stake under the new laws. Companies now need to have their data organised in case a customer or subject of data they hold makes a request to access the information.

This is an important factor to take into account. Particularly for companies that have been doing business for some time, there can be multiple copies of data in different locations, from physical backups to multiple databases that have evolved over the years.

Mr O’Brien cited one case where the company in question had a customer relationship management system in place, but were also using Mailchimp to capture expressions of interest.

That caused problems as conflicts arose: customers signed up through their expressions of interest campaigns but had opted out from communication.

“They were marketing to customers who were complaining,” he said.

But the definition of data under the new regulations means that smaller companies in particular may not even realise that information they collect may need to be protected. That data can be on customers, staff buyers – if there is personally identifying information on file, it counts.

The ultimate aim of the regulations should be a more streamlined data protection system, with harmonised legislation throughout the EU. That is intended to save businesses in the region of €2.3 billion a year.

While there may be two years until the implementation of the new rules, companies should be warned: it’s time to start cleaning house.