Is your business ready for the GDPR?

James Gallagher 23.06.2017

It is very difficult to quantify the value, monetarily, of personal data held by organisations today.

However it is often billed as “the new oil” and one only has to look at the valuation of companies like Google, Facebook and Amazon which hold huge amounts of data, to see that this analogy is not without foundation.     

In this context and in light of the continued push by organisations to collect and “mine” data, the General Data Protection Regulation (GDPR) which the European Union is implementing, aims to make businesses more accountable for data privacy. It also offers European citizens extra rights and more control over their personal data. All businesses must be able to prove compliance by May 25th 2018. 

To ensure that Morgan McKinley is fully aware of the impact the GDPR will have on our business and our clients’ businesses, we had a number of consultants attend the GDPR Summit run by the GDPR Awareness Coalition recently.  The summit was run very well and a number of excellent speakers discussed recurring key themes.  

One of the key findings was that despite every sector in every single industry being affected by GDPR, the general lack of awareness, especially at a senior level, about the far-reaching and extremely costly ramifications of the GDPR is astounding. Some of the consequences companies will be subject to for very serious data breaches are fines of up to €20 million or 4% of total worldwide annual turnover (whichever is greater). All organisations, regardless of size and profitability, are subject to the same fines. Serious breaches need to be reported within 72 hours to the Data Protection Commissioner and this requirement will be strictly enforced. 

There is a definite air of uncertainty about the implementation of GDPR. For example, 85% of all SMEs store data which will be captured by the parameters of GDPR but only 55% of those surveyed were aware of GDPR and its consequences.  One thing is for certain- inaction will lead to trouble for organisations. 

Advice from the summit centred on the necessity for businesses to immediately commence running projects to ensure they are prepared. As fines will impact the CEO or Board, they should be the GDPR project drivers.

These projects should include:

  • Identify all personal data of employees and customers which you currently store and audit the data stored. Ask yourself why you have this data? ;
  • Establish which data is business critical and which isn’t (remove all data that is not);
  • Establish your 3rd party risk. Do you use outsourcers or any cloud based service providers? If so, what are their steps for data security? If they hold data which you have collected on customers or employees, your business will also be liable for their breaches;
  • Educate all heads of department on risks and implications of the GDPR;
  • Ensure that your company is able to demonstrate an auditable data trail and keep records of compliance to show an audit trail to the data commissioner following future breaches; and
  • Establish training programs to drive behavioural change across your business at all levels so employees are aware of how to act in the event of a data breach and to ensure that they don’t happen in the first place. 

In addition to these immediate projects, organisations are also being advised to do the following:

  • Appoint a Chief Information Security officer (CISO) who needs to be completely aware of the process and technology in relation to data capture and retention;
  • Appoint a Data Protection Officer (DPO) who reports to the Board or CEO. The DPO must be independent and cannot be an individual who can be influenced by management and other staff: 
  • Ensure records of consent are obtained for every individual your company holds data on: 
  • Ensure all organisations throughout your supply chain are compliant and that you have reviewed all service level agreements in place in relation the GDPR. 
  • Crisis management plans need to be addressed in order to prepare for when a data breach occurs.

It is worth considering that as this year progresses and the business awareness of the consequences of non-compliance begin to hit home, there will be an increased demand for legal and compliance professionals, data security specialists and project managers in relation to the GDPR. Smaller organisations will be competing with larger organisations in relation to attaining consultancy services and SMEs need to act sooner rather than later in relation to engaging consultants, external advisors and trainers. 

Morgan McKinley has established a team of consultants to ensure we can service the current and future demand for these professionals from across our client base. If you are starting a project in relation to Data Protection, Security and Compliance and require any resources or advice in relation to this, please feel free to get in touch. 

James Gallagher's picture
Practice Leader


Prudential Risk Assurance Specialist
Dublin City Centre06.04.2020
Customer Due Diligence Analyst | Dublin South
Dublin South01.04.2020
Compliance Manager - Regulatory Change