Despite being just one month away from the ‘go live’ date, only 22% of businesses feel sufficiently prepared, with more than half (52%) saying they are only ‘somewhat prepared’ and a quarter (25%) claiming that they are ‘not at all prepared’.
Still time to prepare
However, A&L Goodbody Partner Mark Thompson re-assured companies that there is still time to prepare for GDPR. “It comes as no surprise that local companies are feeling concerned about a potential GDPR breach – especially given some of the alarming press coverage in recent months about the new penalty regime for failure to comply,” he said.
“There are complexities to the legislation and there are key commercial decisions to be taken by businesses – but there are essentially two basic principles to the regime: increased transparency and increased accountability. If you buy into transparency, there is little to fear in the latter.
“In order to be compliant, companies must understand what data they collect and hold, why they hold it, where it is stored, how they use it and who it is shared with. They must then take the necessary steps to amend their internal policies, IT and operational processes and governance accordingly – something on which a legal advisor or GDPR specialist can advise.”
When asked what impact GDPR will have on their ability to market their service, 55% of companies believe it will have a ‘minor impact’, with only small adjustments to their marketing processes required. Over one third (36%) say they will have to make ‘significant adjustments’ and six per cent say they will have to ‘completely transform’ their marketing processes to ensure compliance.
“Ensuring compliant marketing processes will be one of the biggest challenges under the GDPR, continued Mr Thompson. “Companies must review their existing methodologies and databases to understand the legal basis upon which they are currently relying for marketing – such as an individual’s consent or a legitimate business interest.
According to Mr Thompson, many companies are defaulting to a consent-based model where it is not necessarily the best basis for their business model. “If consent is the basis being relied on, it is vital that it meets the qualitative requirements to be a valid consent under the GDPR,” he said. “Companies must also check that they have kept a record of who has previously unsubscribed from receiving marketing communications and ensure not to contact these individuals again.”
Subject Access Requests
Only 18% of respondents say they are confident that they have GDPR compliant systems in place to deal with a Subject Access Request (SAR) – an important element of the regulations – with 17% saying that they don’t even know what a SAR is.
A SAR entitles an individual to have a report of data held about them and how that data is being used by an organisation. Under GDPR, companies can no longer charge a fee for responding to a SAR and must find, gather and disclose an individual’s data to them within 30 days – a significant reduction from the current 40-day timeline.
Mr Thompson commented: “Missing the timetable will put companies in breach, so it is important to have a well-structured process for responses in place before the regulations go live. Organisations should update their procedures and train relevant employees to recognise and respond effectively to SARs in accordance with the new legislation.
“There aren’t many examples of processing in Northern Ireland not permissible under the new regime, provided that customers are aware how companies will be using their data once they have been given it.”
Act now before it’s too late
Ann McGregor, chief executive of the NI Chamber of Commerce and Industry, commented: “The message here is very clear – companies must act now before it’s too late and I would urge all members to review their processes to determine what changes they need to make to be compliant with GDPR.
“The Chamber has recently hosted a number of events and published a wide range of GDPR-related material, and we will continue to support our members in any way they can as they prepare for, and adapt to, GDPR in the coming months.”
A&L Goodbody Partner Mark Thompson