The introduction of the General Data Protection Regulation (GDPR) in May 2018 marked a fundamental change in how organisations are required to deal with data protection issues. Whilst data privacy best practice was always a consideration for businesses and their boards, the potential for significant fines, brand and reputational damage has ensured its importance has risen substantially. As the GDPR marks its fourth anniversary, it is timely to consider some of the key privacy challenges facing companies in 2022.
Challenge Number One: Navigating Increased Complexity
The GDPR was introduced to provide a harmonised approach to data protection across all 27 EU member states. While this remains an ambition yet to be fulfilled  , it has also triggered a wave of similar legislation internationally. Countries such as China, Canada, South Africa and Brazil have brought in new privacy laws. There is no sign of a federal law in the USA; however, many states and local jurisdictions have passed their own. The best known of these is the California Consumer Privacy Act (CCPA), which mirrors many aspects of the GDPR.
Boards and their executive teams need to regularly review the data protection structures within their companies. Irish businesses with an international footprint must ensure sufficient resources are in place to monitor and adhere to national, European and global compliance requirements.
Challenge Two: Effectively Assessing Risk
Under GDPR, companies can potentially be liable for fines of up to €20 million or 4% of global turnover, whichever is the greater. As a new piece of legislation, boards faced considerable difficulty in 2018 assessing the risk profile arising from a potential data breach. Whilst a baseline has yet to be achieved, there is now significantly more information available to utilise in this decision making. Across Europe, data supervisory authorities issued almost €1.1 billion in fines in the twelve months to January 2022 . Many of the largest were for breaches at technology firms. Irish organisations from a range of sectors have also been fined by Ireland’s Data Protection Commission (DPC).
Directors must ensure their companies’ risk profiles are updated to reflect these recent developments. In particular, taking account of similar fines within their industry or sector. For firms with an international presence, the scale of local penalties should also be taken into consideration.
Challenge Three: Onboarding New Technologies
Ireland has witnessed substantial digital transformation over the past 24 months, as businesses sought new markets and adapted to changing consumer expectations. Technologies such as artificial intelligence, robotics and machine learning sit at the heart of the twenty first century economy; these systems present opportunities and risks. The use of customer data in increasingly complex ways, involving multiple technologies, requires input from stakeholders across the company and needs to be communicated to the public in a manner that is transparent and easily understood.
Directors must ensure that data protection by design and default is baked into any project . Data privacy must be considered from the outset – a key requirement of the GDPR. Ethics plays an integral role here, balancing what can be done with what should be done.
Challenge Four: Building an Effective Privacy Culture
Training lies at the heart of any effective data protection culture. It has perhaps never been as important, given the level of staff turnover businesses are experiencing during the ‘Great Reshuffle’. Many companies undertook GDPR training in the run up to the Regulation’s introduction in 2018. Yet, to remain top of mind, data privacy training cannot be a one-time event.
Ireland’s population is increasingly aware of its privacy rights. In 2021, the country had the fourth highest number of recorded data breaches per capita amongst European countries, at 130.1 per 100,000 population . The Data Protection Commission’s Annual Report for 2021 noted a 7% increase in the number of complaints and enquiries it received, with a combined total of just under 11,000 . Commenting on data breaches, the DPC noted a large majority related to unauthorised disclosure. It cited ‘poor operational practice and human error’ as key factors.
Directors need to ensure regular GDPR training takes place across the organisation. Both for new inductees and as a refresher for existing staff . It must be led from the top, with senior leaders seen to visibly support and advocate for data privacy best practice. In larger firms, particularly those with an international presence, local data champions should be identified to support the work of legal and compliance teams, advocating within their business unit or department.
Challenge Five: Improving Record Keeping
Accountability is a core principle of GDPR. Companies must be able to document and demonstrate an effective data protection culture across the organisation. As part of this, clear and well thought out processes and procedures must be put in place. Under Article 30 companies are required to maintain a record of processing activity . The Data Protection Commission recently stated many companies are keeping poor or incomplete records. This is particularly concerning at a time when Irish businesses are onboarding new digital platforms as part of broader transformational efforts.
Directors must ensure regular data audits are undertaken. Compliance and legal teams, with input from departments across the business, should be empowered to ensure data processing records are accurate, comprehensive and up to date. Keeping a data protection item on the board’s agenda, and placing it as a priority within the remit of risk and audit committees are important elements of good corporate governance.
The past decade has seen a considerable increase in the governance obligations of boards. As a result, Irish directors have wide ranging fiduciary duties to their companies. Data protection best practice must form an important element of the board’s oversight of corporate activities. The potential for brand, financial and reputational damage arising from a data breach is considerable. At a time of growing complexity at both a national and global level, boards must ensure an effective privacy culture is in place within their organisations, underpinned by ongoing training and a visible, demonstrable commitment from leadership and executive teams.
. Examples include variations in what is considered best practice in consenting to the use of website cookies, and in the treatment of business contacts for direct marketing purposes.
. According to some estimates, up to 90% of data breaches are the result of human error.
. Article 30(5) of the GDPR outlines some exemptions to this requirement for businesses with fewer than 250 employees.