New GDPR certification will reward compliant organisations

A survey carried out jointly by audit, tax, advisory and consulting firm Mazars and law firm McCann FitzGerald LLP has revealed a declining level of positivity towards GDPR and its benefits among Irish businesses. Belief that GDPR is beneficial for individuals has declined from 83 per cent to 69 per cent during the 12 months since the previous survey.

Furthermore, belief that compliance with GDPR places an excessive administrative burden on organisations has grown from 53 per cent to 69 per cent.

Meanwhile, concern about the consequences of non-compliance is on the rise, with 57 per cent of surveyed organisations expressing anxiety about fines, up from 46 per cent the previous year. More than three-quarters of the respondents (78 per cent) agreed the risks associated with GDPR non-compliance are increasing, while almost seven in 10 said they were more concerned about GDPR non-compliance than they were in May 2018, when the regulation was introduced.

A decline in positivity was to be expected, according to Mazars consulting partner Liam McKenna.

“Over the last few years, our understanding of what compliance entails has become clearer through regulatory decisions and guidance from the European Data Protection Board and the Irish Data Protection Commissioner. We are now much clearer on what is needed than we were in 2018.

“In addition, there is an increased focus from data subjects on invoking their rights and challenging what they see as non-compliant processes. All of this has resulted in organisations having to apply more effort and focus to data protection compliance than they may have anticipated when their compliance project completed in 2018,” he explains. “You can find yourself slowing down business decisions as a result.”

Paul Lavery, partner and head of McCann FitzGerald LLP Technology and Innovation Group, agrees. “There is still a generally positive vibe in relation to it, but it’s definitely cooling. That’s quite natural. The more you know about a specific piece of law, the more you understand the difficulties related to compliance.”

The initial positive sentiment was also related to the sense of achievement many organisations felt having complied with the regulation. “There was a bit of relief at getting over the line on May 25th, 2018,” Lavery notes. “They had come through a big compliance exercise which was all about getting the documentation and processes in place.”

Compliance burden

Both McKenna and Lavery point to a lack of recognition for fully compliant organisations as an issue. But that is going to change.

“We haven’t seen any formal certification yet for compliant organisations, but we hope to see some soon,” says McKenna. “Mazars is partnering with the Europrivacy organisation to deliver GDPR certification, which will hopefully bring recognition to compliant organisations.”

The overall compliance burden is weighing heavily on many organisations. “The recent WhatsApp decision has clarified that privacy notices need to be much more granular than what is commonly published. So, if you haven’t reviewed and updated your privacy notice post the judgment, you are likely to be non-compliant. Another common compliance risk is retention and destruction. How do you ensure that you don’t hold on to data for too long and differentiate what you should hold for longer, and that you have the measures in place to get rid of data when you don’t need it?”

“Perfection is the barrier to progress,” he adds. “We have seen organisations arguing about whether data should be retained for five years or six, and we’re saying to them that it doesn’t really matter as they are holding 27 years of data now. So just go with six, and you will be making enormous progress.”

Finally, McKenna explains that GDPR was introduced for a reason and should be seen as a positive.

“GDPR was established as a method of harmonising data protection processes across Europe; this has enabled free movement of data which is associated with the free movement of people, goods and capital. In addition, it puts in place the foundations for our privacy in a digital world. We couldn’t allow a continued degradation of privacy.

“If you had someone following you around watching what you do all day, every day, you would think it’s important to stop that. Yet there are organisations who know what you are doing every minute of the day and even know what you are thinking. There was a definite need for legislation to protect people. As more and more organisations, both public and private, improve their use of digital technologies and analytics a threat that once came only from big tech is now becoming pervasive.”