The GDPR – 6 Actions Irish SME's Must Take NOW
Editor’s Note: Ciaran Molumby is the Business Development Manager at the Dublin Headquarters of Dataway, an international cutting-edge company devoted to helping companies meet the challenges of network and Cyber security threats. Mr. Molumby is an expert in GDPR regulations and how they will affect Irish businesses. He can be contacted at email@example.com.
This is the first in a series of interviews with Ciaran to help make Irish SMEs fully aware of the GDPR. This interview was conducted in early July 2017.
Ciaran: Before we get started I want to stress my main point: Irish businesses, no matter what size, need to start preparing for new GDPR regulations right now. Many people aren’t aware how onerous the GDPR is, or the consequences it could have if you don’t meet these rigorous new rules. If you do not comply, your business could be heavily fined. And I’m not talking hundreds of euro. I’m talking thousands, tens of thousands, even millions of euro in fines, depending on the size of your business.
DB: Ciaran, I’m certain that will get people’s attention. Now make it easy for us. What is the GDPR?
Ciaran: The General Data Protection Regulation – the GDPR – is a new EU Law protecting the rights to Privacy for You and Me as individuals. It is the biggest EU-wide legislation ever passed. It is a good thing for us all but getting there will take some effort for organisations who collect and hold personal data. Personal data is any data that can identify a unique individual, such as name, address, health records, employee records, email addresses, and similar.
DB: What kind of business must comply with this new law?
Ciaran: As I say, any company who holds personal data on their IT systems. For example: let’s say you own a small business, like a flower shop. On your IT system you retain names, addresses, credit card details, and email addresses of your customers. This is personal data and therefore you must comply with these new rules.
DB: But that means most businesses will be affected?
Ciaran: That’s correct. Doctor’s surgeries and other medical practitioners, dentists, schools, companies using rewards programmes, manufacturers, logistics and delivery companies, IT companies, Mobile Phone and other retail establishments... the list goes on and on. If you store and retain personal data of your customers or employees you must comply.
DB: Got it. But why should anyone be worried or interested? I mean what happens if I, as a business owner, do not comply?
Ciaran: Because in Ireland the Data Protection Office will enforce the GDPR. They have budgets in the millions of euro. They already employ over 80 people and will be hiring more.
They will be conducting Audits, much like the Revenue Commissioners. They will be issuing stiff penalties to those companies found non-compliant without going to any court. And you can be sure, with the budgets they have the Data Protection Office will be stretching its muscles and fining companies both big and small.
Why should Irish companies be interested? Because if you don’t comply you can be fined 4% of your company’s previous year’s turnover, or up to €20 million whichever is bigger. For a smaller business that could seriously affect their ability to keep trading. And if nothing else, it’s going to put a huge dent in cash flow and profits.
DB: Okay, understood. The GDPR is serious. So what should SME managers and owners do? What can they do right now?
Ciaran. The GDPR comes into law late next May, 2018. But there’s no time to waste because there’s a lot to do. Here are my recommendations:
Appoint an owner who reports directly to management. By ‘owner’ I mean a person who is responsible for the personal data you retain.
Find out what areas of the business are GDPR relevant and at risk.
Immediately look at processes and contracts that are GDPR relevant
Begin to lock down gaps and user access.
Engage external companies to support you where needed.
Begin Managed End-Use Privacy Training as soon as possible.
DB: And that’s only the start, correct?
Ciaran: I’m afraid so. The first thing Irish companies should do is to become fully GDPR aware. You can do that by getting a free copy of the PDF handbook, The GDPR and You. It’s published by the Data Protection Commissioner and is available at https://www.dataprotection.ie/docimages/documents/The%20GDPR%20and%20You.pdf.
DB Computer Solutions has also put together a Blog with comprehensive information about the GDPR available at https://www.dataprotection.ie/docimages/documents/The%20GDPR%20and%20You.pdf.
The important thing to remember is: the GDPR takes effect on 25 May 2018. That’s not a lot of time to prepare and it will require a cultural change across most organisations to achieve and maintain compliance. There are so many time consuming changes to be made, and SME owners and managers must start immediately if they are to meet the deadline. There’s that much to do.
DB: What if companies need help?
Ciaran: They should contact companies with deep knowledge of the GDPR and who have the resources to offer sound and practical advice. For instance, the company I work for, Dataway (www.dataway.com) is ready to help. Your own company, DB Computer Solutions (www.dbcomp.ie) can help companies protect data with firewalls, software, and similar, and implement sound backup policies, which are part of GDPR requirements.
DB: Thank you Ciaran. We surely appreciate your advice and expertise.
Do you have a question for Ciaran about how the GDPR will impact your business or the steps you should take to make sure you are in compliance?
Email firstname.lastname@example.org. Please put ‘Question for Ciaran’ in the Subject Line.