Listen to our GDPR podcast

GDPR – What is it? Who has to comply? What does this mean for my business? Accountancy Ireland talks to Peter Bolger of LK Shields, Gavin Doherty from 247 Meetings and Niall Tierney from Tierney IP to get your questions answered in this special GDPR podcast.

Latest GDPR articles

It is just over one year since GDPR went live, and the new regulations and those responsible for enforcing them are flexing muscles in landmark, high profile cases. The launch may be behind us but GDPR is now an everyday reality. The main way to ensure compliance is to stay informed. We have developed a special, online interactive course in collaboration with legal experts from ByrneWallace to help you with this. We provide all the information and resources in one place that you, as an accountant, need to ensure your firm or organisation remain compliant. Interactive and engaging, GDPR for accountants - a practical guide to ongoing compliance, provides an understanding of and templates for policies and practices that should be implemented.  The course is entirely online allowing flexibility with where, when and how you work. All content is on-demand, meaning you can access when it suits you.  We have created pre-recorded video content and easy to understand written content to get you up to speed on this all important area crucial for any business from the sole trader to the state organisation and multinational corporation. We are offering a special offer as we launch this course:  For the month of September, we have an introductory discount which means you will have access for six months for just €50. Not only will you avail of a great deal saving you €25 off the normal fee, you will be awarded three CPD hours too. For more information and to book, click here. Use the discount code gdprdisc at the checkout to avail of this special offer only available for the month of September.   

Aug 30, 2019

Meeting General Data Protection Regulation (GDPR) compliance requirements has become a top priority for the majority of Irish businesses over recent months. Accountancy practices are no different, and as the 25 May enforcement deadline approaches, the Institute has being helping both you and your clients to prepare for GDPR in a number of ways.  For example, we have provided guidance via articles in recent issues of Accountancy Ireland, while during February & March we have run a series of half day courses in a number of towns and cities across Ireland.  In addition, earlier this month our publications department has made available a handy GDPR booklet, specifically for our practice members to distribute to their clients and contacts. Further details on our currently available guidance can be found at Recognising that GDPR implementation presents both specific challenges and opportunities for accountants in practice, the Practice Consulting team is also busy both offering advice and preparing detailed practical guidance in this area for our members across the island of Ireland, explaining what the changes resulting from GDPR will mean for both your practice and your clients.  This guidance will include: GDPR Template Outline Procedures to be tailored and used by an accountancy firm; A paragraph for a client engagement letter addressing GDPR and a template privacy statement; GDPR 8 Step Guide; and  Explanation of GDPR terms. We intend to make these practice aids available to you in the next few weeks and ahead of the GDPR effective date of 25 May. The procedures will be free of charge to our members. In the meantime, practices should continue with their preparations. Given the specialised legal nature of GDPR and depending on firm’s individual circumstances, members firms may need to obtain independent legal advice on compliance.  Practice Consulting has also developed a half day consultation offering. Following the publication of our procedures, one of our consultants can visit your firm and offer practical advice and guidance on how to tailor your procedures, make progress on your GDPR journey, and meet key compliance milestones.  If you have any question in relation to GDPR, please feel free to contact either Conal or Jeremy in Practice Consulting by email at or by telephone at 01 637 7300.

Apr 20, 2018
Business law

Jeremy Twomey writes.. Billed as the most important change in data privacy regulation in over 20 years, and with its enforcement deadline of 25 May 2018 fast approaching, ensuring General Data Protection Regulation (GDPR) compliance has become a top priority for the majority of Irish businesses.   Over the last year, the Institute has been helping its members to prepare for GDPR in a number of ways. For example, we have provided guidance via articles in recent issues of Accountancy Ireland, while in the last few weeks we have run a series of half day roadshows and courses in a number of towns and cities across Ireland. In addition, the Practice Consulting team has been busy preparing detailed practical guidance in this area, explaining what the changes resulting from GDPR will mean for accountants and their clients. This guidance will be available under the Knowledge Centre section of the Institute website, and is designed to answer the GDPR-related questions that members have contacted us on over recent months.   While preparing this guidance, it became evident that a number of “myths” have developed over the last couple of years surrounding the implementation of GDPR. In this article, I am going to address a few of these and try to help you ensure that you do not fall foul of these, as you prepare to achieve GDPR compliance at your firm.   Myth 1 - GDPR Compliance is a once off project to be achieved by 25 May With so much hype surrounding the regulation, one should remember it is not a once off event or test for compliance. Unlike planning for the Y2K deadline in 1999, GDPR preparation doesn’t end on 25 May; it requires ongoing effort. It’s an evolutionary process for organisations; 25 May is the date that GDPR will be enforced but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May of this year. GDPR will require ongoing governance of data, as organisations migrate to new systems or apply their customer data to new markets and trends. Initial compliance is the first heavy lift, but ongoing governance is the long-term reality!   All entities falling under GDPR should endeavour to be fully compliant by the implementation day, although this may not be possible in all instances. In such circumstances it is important that you address the essential elements of compliance at your firm as soon as possible, and can demonstrate your ongoing efforts in this regard in a comprehensive documented plan of work.   Myth 2 - GDPR is only for large firms, a small accountancy practice or company is not expected to have the time or resources to achieve compliance You will have to comply with GDPR, regardless of your size, if you process personal data. Small accountancy practices do not escape the demands of compliance. GDPR needs to be prioritised by all firms, regardless of size.   The vast majority of businesses across Ireland are small businesses and it is important to remember these firms often process a lot of personal data, and their data protection reputation and liability risks are just as real as for larger entities.   Myth 3 - With Brexit, entities located in the UK, including Northern Ireland, will not have to comply with GDPR GDPR will apply to all EEA countries and any individual or organisations trading with them. As it comes into force on 25 May 2018 (before the UK is due to leave the EU), UK individuals & organisations must ensure compliance with the new regime by then. The British government has confirmed that the UK’s decision to leave the EU following Brexit will not affect the commencement of GDPR. Post Brexit, it is envisaged that if a UK organisation or individual processes personal data, then they will have to do this in accordance with GDPR. To ensure that the UK will be GDPR-compliant post Brexit, the new Data Protection Bill (currently going through Parliament in London) incorporates all of the GDPR.   Myth 4 - GDPR is a completely new approach to Data Protection It is vital to remember that GDPR builds upon the existing legislation in this area. It is an update, not a wholesale revision, to meet the changes in technology and data use over the last twenty years or so. As a result of these changes, consumers’ privacy and data were not by now as well protected as they could be. GDPR rectifies this by increasing the responsibility on organisations to use personal data appropriately and to hold it securely.   Although GDPR is not a completely new approach, it is more stringent in its application and the fines for non-compliance have been considerably increased. This means that doing nothing is not an option, although GDPR does allow organisations to take a risk based approach, based on your size and circumstances.   Many organisations struggle to assess where they should start in preparing for GDPR. It is helpful to remember that we have had data protection legislation in both the UK and the Republic of Ireland for a number of decades and therefore, firms who have taken data protection compliance seriously are already in good shape for beginning to meet GDPR’s increased compliance standards.   Myth 5 - GDPR is just more bureaucracy and work for small firms, with no potential benefits When legislation of this nature is announced, one can take either a positive or negative view of the task at hand. If you take a negative view, you will see GDPR as more bureaucracy and cost to your firm. If you take a positive view, on the other hand, you will view GDPR as a necessary strengthening of the rights of individuals, and indeed a potential opportunity.   As accountants position themselves as strategic advisers to clients, GDPR is also an opportunity for firms to demonstrate to clients that they can securely hold and process information in accordance with data requirements, and that protection of client data is a priority for the practice. As a result, clients are likely to see their accountants as trusted professionals with whom they can partner to drive their business forward. Therefore, being a leader in this area may enhance your practice and its reputation.   In addition, as trusted business advisors to your clients, you must have sufficient knowledge of this new legislation to be able to provide sound advice. SMEs need to be ready when the new law comes into force, but they may struggle to know where to start. Chartered Accountants in practice can help these small businesses bridge the gap to GDPR compliance and, in the process, win new business.   Myth 6 - Outsourcing GDPR compliance will be a quick fix for me and my firm There is no quick fix to GDPR compliance. No one piece of software or outsourced service provider is going to provide everything you need to comply with GDPR. For accountancy practices, GDPR will impact on how you manage and store data across your entire firm (e.g. client, prospective client, contact, supplier and staff data). You cannot outsource your responsibility for this information, and compliance with GDPR will require considerable time and preparation from all levels within your practice. With the implementation date of 25 May approaching quickly, it is important to start sooner rather than later on this.   Myth 7 - GDPR only applies to Digital Processing Under GDPR, data processing covers both automated personal data and manual filing systems. Manual/paper records are included if they are part of a ‘relevant filing system’. This means papers stored systematically, for example, in a filing cabinet are probably included, but ad hoc paper files may not be.   Members should ensure that they apply the same levels of diligence to paper records as they do digital records and that any decisions made regarding the lawful basis for processing, adhering to data protection principles and upholding data subjects’ rights include paper records held.   Myth 8 - Under GDPR, accountants will only be seen as Data Processors and hence avoid much of the responsibility that falls on Data Controllers in this new regulation   The UK Information Commissioner’s Office (ICO) has previously advised that it considers that an accountancy firm providing accountancy services acts as a data controller. The firm’s status as a data controller in relation to clients arises because the firm has flexibility over the manner in which it provides services to its clients and will not be simply acting on their instructions. In addition to this, the firm has its own professional responsibilities regarding record-keeping and confidentiality. Therefore, because an accountant “determines what information to obtain and process in order to do the work”, firms act as “controllers in common” with clients. Under GDPR, member firms will also be data controllers with regard to their firm data (e.g. employee information). If there is any doubt regarding your status as a processor or controller in relation to your firm’s activities, you should take legal advice. Going forward, firms will need to ensure that client terms and conditions reflect this reality, potentially extending engagement terms as appropriate.   No doubt, for many accounting practitioners, much work remains to be done to fully meet GDPR compliance requirements. Between now and the end of May, firms new to the process will need to examine their existing data processing, review their data protection policies, procedures & controls, and identify any gaps that need to be addressed. Following on from this, firms will need to implement any changes required in a structured documented manner to meet the needs of GDPR and continue to show full compliance long after the implementation date.   The Institute will continue to assist members on your GDPR compliance journey, with ongoing updates to our available guidance in this area and, should you have a specific query in this area, please feel free to contact the Practice Consulting Team.

Apr 19, 2018
Governance, Risk and Legal

With the GDPR deadline fast approaching, organisations should step up their efforts to ensure compliance writes Peter Bolger.   It is now eight weeks until the General Data Protection Regulation comes into force and it will have to be implemented by all businesses within the EU. Many companies have already taken steps to comply with the principles of this regulation but those who have not yet done so should urgently consider implementing GDPR strategies. Chartered Accountants need to incorporate new changes in their businesses, be it in private practice or in-house, in order to be GDPR compliant. GDPR was passed by EU legislators in 2016. Following this, there was a two-year lead-in period so that awareness could be raised about the changes GDPR will make to privacy law. This period, ending on 25 May 2018, also allows businesses to take the time to ensure they are compliant. This involves reviewing and updating any policies or practices on processing personal data. It is of utmost importance that businesses are compliant, insofar as possible, by this date. The Data Protection Bill 2018 has recently been published and is as important as GDPR. The Bill incorporates Ireland’s national implementing measures and also creates a new regulatory framework for enforcing data protection laws in Ireland. The Bill establishes the enforcement and administrative powers that are necessary to give effect to the intention of GDPR. Data protection officers In certain instances, it will be mandatory to appoint a data protection officer (DPO). This person will be responsible for advising the company on compliance with GDPR and will also act as a point of contact for data protection authorities and data subjects. Businesses must check whether or not they will need a DPO. Under GDPR, a DPO is required where the organisation is a public body; carries out large scale regular and systematic monitoring of individuals; or carries out large scale processing of special categories or data relating to criminal convictions and offences. The Article 29 Working Party has issued guidelines on DPOs. The guidelines note that managers and those who work in IT cannot assume this role. Fines It is extremely important to note that fines under GDPR are substantial. While the maximum penalty under the current regime is €100,000, fines under GDPR are much greater. Depending upon the nature of the breach, either the lower or higher threshold of fines will be imposed. The lower threshold of fines is up to 2% of an undertaking’s global turnover in the previous year or €10 million, whichever is higher. The higher threshold is up to 4% of an undertaking’s global turnover in the previous year or €20 million, whichever is higher. The Data Protection Bill provides that a decision of the Data Protection Commissioner to impose a fine can be appealed to the Circuit Court or the High Court. It should also be noted that under the Bill, most public bodies are exempt from administrative fines.  Data Protection Impact Assessments Data Protection Impact Assessments (DPIAs) will be mandatory under GDPR where high-risk processing is contemplated. High-risk processing may involve profiling, large scale processing of special categories of personal data or large scale processing of public areas. DPIAs are only mandatory where the processing of data is “likely to result in high risk to the rights and freedoms of natural persons”. The Article 29 Working Party has issued guidelines on DPIAs and states that the rights and freedoms in question may also involve freedom of speech, thought, movement, prohibition of discrimination and rights to liberty, conscience and religion. These rights could also trigger an obligation to carry out a DPIA. New data subject rights Data subjects have increased rights under GDPR. Organisations must learn how to comply with these new rights and it is likely that privacy policies will have to be reviewed and updated. GDPR introduces the right to data portability, the right to erasure and the right to object to profiling. Certain rights have been modified, such as the data subject access right (SAR). This gives an individual the right to receive a copy of his or her personal data, which the controller holds. The already tight timeframe of 40 calendar days has been reduced to within one month of receiving a valid access request. It is therefore essential that organisations have an efficient and correct procedure in place to comply with any SARs received. Consent GDPR increases the obligations on data processors and controllers to obtain an individual’s consent prior to processing any personal data. Consent forms will therefore also need to be reviewed and updated. Data subjects must be informed of their right to withdraw their consent to processing at any time. For consent to be valid under GDPR, it must be “freely given, specific, informed and unambiguous”. Consent to process data must be entirely separate from other consents related to the firm’s business. The Article 29 Working Party in its guidelines on consent pointed out that in the case of employment, where the employer is the data controller, an employee (i.e. the data subject) is rarely in a position to give free consent. This issue was also raised by the Irish Data Protection Commissioner. Organisations must have the resources in place, should a data subject wish to retract consent. It must be as easy to withdraw consent as it is to give it. Therefore, many companies are now assessing whether to rely on consent or another GDPR-compliant basis for their processing. Under the Data Protection Bill, Ireland has lowered the age of digital consent to 13.  Accountability Accountability is one of the main principles of GDPR. Organisations must assess whether they have a sufficient data protection programme in place. They must also provide evidence of how it complies with GDPR. This could be done by showing that it has implemented data protection policies through regular checks and testing. A significant amount of Irish companies are now carrying out GDPR compliance programmes to ensure that they are in a position to demonstrate this compliance. Data breaches GDPR will change the notification requirements in the event of a personal data breach. Organisations must put data breach policies in place and internal registers of breaches must be available for inspection. Data controllers will therefore need to document incidents of data breaches and remedial action taken. The Data Protection Commissioner will need to be notified where a breach is likely to result in a risk to the rights and freedoms of individuals. In cases of high risks for the data subjects, data subjects generally must also be notified. In its guidelines on determining whether processing is “likely to results in a high risk”, the Article 29 Working Party stated that this risk exists where the breach may lead to physical, material or non-material damage to the data subject. The Data Protection Bill permits not-for-profit bodies to lodge complaints with the Data Protection Commissioner on behalf of data subjects in the event of a data breach. They are also permitted to bring a civil claim. Conclusion  The sooner preparation for GDPR begins, the more risks will be minimised and – importantly – the likelihood of fines being imposed. Becoming GDPR-compliant is a large undertaking for all organisations. Once the time is taken to put the proper policies and procedures in place, compliance will not be so difficult to achieve.   Peter Bolger is the Head of Intellectual Property, Technology and Privacy at LK Shields.

Mar 29, 2018

The single, largest piece of advice from data privacy group 3M in finalising preparations for the General Data Protection Regulation (GDPR) is to review everything - now. GDPR will fundamentally change the way businesses collect, store and use customers’ personal information when it comes into force on the 25 May 2018. According to 3M, many businesses are underestimating the work involved to ensure compliance.   Businesses that do not comply or are in found of a breach can face a fine of up to €20 million in penalties or 4% of annual worldwide turnover.   3M has identified five key, practical measures to take in preparing for the new regulations in just a few weeks’ time:   Take ownership and take action: your internal GDPR team must take responsibility for reviewing existing data, developing new procedures for collecting, storing and using data, and for ownership of the policies. They will be accountable in the event of a breach, so task this team to conduct final checks on all data, all material and all your company policies and privacy statements; Conduct an appraisal: task your GDPR team to review all personal data held by your organisation, including how you received it. Validate it and catalogue it as required, then perform a gap analysis to identify potential, associated risks. Then evaluate all data privacy notices and policy procedure documents in terms of GDPR compliancy; Develop new policies and procedures: after you have mapped the data, it’s time to implement internal policies and measures which take into account Privacy by Design and by Default. The new or improved policies and procedures are designed to mitigate the security and privacy risks identified with existing data that may be unauthorised, or to defend the company in the event of an involuntary security breach; Training: implement training and review checklists for data protection among your organisation. Implement internal breach notification procedures and incident response plans. Ensure your communications teams, and anyone else with direct contact to current and prospective customers, are aware of the company’s new policy; and Security: assess the design of any open space working areas, particularly those of data sensitive departments such as Finance, Legal, HR, Pricing and so on. The mobile workforce is also at high risk of visual hackers accessing private, sensitive or confidential information for unauthorised use. Implement new security measures such as privacy filters to safeguard the display of information and mitigate exposure to visual hacking. Source: 3M.

Mar 23, 2018

As you prepare for the implementation of GDPR, there are a number of practical measures to consider when it comes to processing employee data. Most accountancy firms collect and process personal data relating to their employees on an ongoing basis as part of their everyday personnel administration. Personal data processed by your firm could be anything from salary details for administering payroll to sick notes presented by employees regarding absence. As a result, most accountancy firms will be affected by the EU General Data Protection Regulation (GDPR), which will regulate the processing of personal data when it becomes directly applicable from 25 May 2018. With four months to go before GDPR applies to your firm, this article focuses on what GDPR is and some practical measures you should consider in terms of processing employee data. What is GDPR? Over the past two years, we have noticed many organisations struggle to assess where they should start in terms of preparing for GDPR. It is helpful to remember that we have had data protection legislation in Ireland since 1988 and therefore, firms who have taken data protection compliance seriously are already in good shape for meeting GDPR’s increased compliance standards. GDPR builds upon, and enhances, many of the existing data protection requirements and principles under current Irish data protection legislation. Rather than fear it, GDPR should be viewed as an opportunity to re-visit your firm’s level of data protection compliance. From 25 May 2018, GDPR will replace the 1995 Data Protection Directive, which is the EU legislation on which the main Irish data protection legislation, the Data Protection Acts 1988 and 2003 (as amended) (DPA), is based. There will also be Irish implementing national legislation to give further effect to, and provide for exemptions from, GDPR. In Ireland, the Department of Justice and Equality published the General Scheme of the Data Protection Bill 2017 in May 2017 (General Scheme). The General Scheme essentially sets out the heads that are proposed to be included in the Irish implementing legislation when it is enacted. As a general comment, the General Scheme is very much in draft form and is lacking in detail. Therefore, publication of the draft Bill is anxiously awaited. At the time of writing, it is not yet known when a draft Bill will be published but it may be released before publication of this article. “Consent” in employment contracts As with the current DPA, in order to process an employee’s personal data your firm needs a legal basis to do so. Many of the legal bases that employers currently rely upon to process employee personal data will continue to exist under GDPR. The most relevant legal bases to employers, both under the DPA and GDPR, are as follows: The employee has given their consent to the processing; Processing is necessary for the performance of a contract to which the employee is a party to; Processing is necessary in order to take steps at the request of the employee prior to entering into a contract; Compliance with a legal obligation; Processing is necessary to comply with the employee’s vital interests; and For the purposes of the legitimate interests of the firm. In practice, we find that many employers tend to rely upon the first legal basis mentioned above for data processing, namely consent, which is usually procured in the employment contract. For consent to be valid, it must, among other things, be “freely given”. This raises concerns in an employment context as it is questionable whether an employee’s consent is freely given on the basis of the imbalance of power between employer and employee. The Irish Office of the Data Protection Commissioner (ODPC) has also raised this concern in the context of the existing DPA. The Article 29 Working Party, which is the representative group of EU data protection authorities, recently commented in non-binding guidance that an employee is rarely in a position to give free consent. Significantly for employers, consent can also be retracted by employees at any time and it must be as easy to withdraw consent as it is to give it. Operationally, firms will need to have the resources in place to facilitate an employee retracting their consent. Another point to bear in mind when relying upon consent is that certain data subject rights can only be exercised where consent is the legal basis – for example, the right to data portability and the so-called “right to be forgotten”. Based on the concerns with relying upon consent, now is the time to consider whether alternative legal bases could be relied upon by your firm for certain processing of personal data. For example, processing an employee’s details as part of payroll could instead be based upon the legal basis of performance of a contract with the employee. There may, however, be situations where consent is the only appropriate legal basis to rely upon. Such a situation may arise, for example, in the context of processing an employee’s medical information where such processing is not required by employment law. Where it is necessary to rely upon consent as a legal basis, consent should be procured through a declaration or other document separate to the employment contract, which is not intrinsically linked to the employee’s acceptance of their employment with the firm. Data subject rights GDPR introduces new data subject rights and also modifies some of the existing rights under the DPA. A modified right, which many firms may be familiar with, is the data subject access right (SAR). This essentially gives an individual the right to receive a copy of his or her personal data which a data controller (e.g. an employer) holds. In practice, we find that SARs are being made more frequently by employees, particularly as an alternative to discovery in litigation or as a fishing exercise prior to making an employment claim against the employer. SARs as they currently exist can be onerous for an employer to comply with and GDPR will not make them any easier from an employer’s perspective. The current tight time-frame to respond  to a SAR of “as soon as may be” but not longer than 40 calendar days will shorten under GDPR to a response being required “without undue delay” and in any event within one month of receiving a valid access request. Currently under the DPA, employers are entitled to charge an administrative access fee of €6.35 for processing a SAR, which will be abolished by GDPR unless the employer can demonstrate that the cost will be excessive. The shorter time-frame for responding to a SAR means that firms will need to ensure that they have the policies and procedures in place to comply with a SAR received and that they have sufficient staff and resources. However, if a request is complex or a number of requests are made, then the time-frame can be extended by a further two months where necessary. The data subject must be informed of the extension, and the reasons for it, within one month of the employer having received the SAR. Accountability Accountability is a core principle of GDPR. It requires that firms not only comply with GDPR by implementing appropriate technical and organisational measures and appropriate data protection policies, they must also be able to demonstrate their compliance. The current Data Protection Commissioner, Helen Dixon, has noted that this is not just a pen-pushing exercise. You therefore need to be able to meaningfully demonstrate compliance. As such, this will involve more than simply having data protection policies and processing registers in place that comply with GDPR. Your firm will also need to be able to show that it has implemented such policies through staff training and regular checks and testing, for example. Information to be provided to employees As with the DPA, under GDPR certain information must be supplied to employees before their personal data is collected and processed by your firm. Otherwise, such processing is unlikely to be considered fair and is likely to be contrary to the data protection principle that personal data must have been obtained and processed fairly and lawfully. The information will typically be provided in the form of a notice to job candidates and a further privacy policy will be supplied to successful job applicants as part of their on-boarding induction to the firm. While this information requirement continues under GDPR, the content of such notices and policies will need to include additional information. Under GDPR, the following information will need to be provided: The firm’s name and contact details and the name and contact details of your data protection officer (where one has been appointed); The purpose(s) of the processing as well as the legal bases for processing; Where the legal basis for processing is based on the firm’s legitimate interests, those legitimate interests should be identified; The recipients or categories of recipients of personal data; That the firm intends to transfer personal data to a third country and the legal basis for the transfer; The retention period for personal data and the criteria used to determine this; How employees (or job candidates) can exercise their right of access, rectification, erasure, restriction to processing, objection to processing and data portability, if such rights apply to the employee (or job candidate); How employees (or job candidates) can retract their consent to processing, where the processing by the firm is based on consent; The right to submit a complaint to the relevant Data Protection Supervisory Authority; Whether the employee (or job candidate) is required to provide their personal data pursuant to statute or a contract, and the consequences of failing to provide such data; and The existence of automated decision-making, including profiling, and the logic and consequences of the processing for the employee (or job candidate). It is important to review existing notices and policies given to employees and job candidates in order to check that they include the above information. Data Protection Officer An important change being introduced by GDPR is the requirement for certain data controllers and processors to appoint a data protection officer (DPO). The DPO will be responsible for overseeing the organisation’s compliance with data protection. The DPO is not, however, a new concept. While this will be the first time in Ireland that this role has been codified, many organisations may already have an individual responsible for data protection compliance and DPOs are in fact required in Germany. What is new under GDPR is the fact that a DPO must, under statute, be appointed for the following controller and processor organisations: Public authorities or bodies (except for courts acting in a judicial capacity); Data controllers and processors whose core activities consist of processing, “which require regular and systematic monitoring of data subjects on a large scale”; and Data controllers and processors engaged in large-scale processing of sensitive personal data or personal data relating to criminal convictions and offences. The Article 29 Working Party, in guidance, recommends that controllers and processors document their internal analysis conducted to decide whether a DPO is required. An important point that the Article 29 Working Party have also highlighted is that, while organisations are free to voluntarily appoint a DPO and the Article 29 Working Party encourages this, if an organisation does so, a voluntarily-appointed DPO is under the same obligations as a mandatorily-appointed DPO. With the above in mind, firms that already have an individual whose day-to-day work is largely the same as a DPO may want to consider the increased responsibility of the role; the fact that the DPO reports to the highest management level; that the DPO function must be adequately resourced; and further, that a DPO is expected to have expert knowledge of data protection law. Significantly, it is a form of protected employment as the DPO cannot be dismissed or penalised for fulfilling their tasks within the firm. This role needs to be carefully considered before making an appointment. Peter Bolger is the Head of Intellectual Property, Technology and Privacy at LK Shields.

Feb 06, 2018

Just 37% of companies have been subject to a data protection audit in the past, while 55% of companies think they will be subject to an audit in the coming 18 months according to research published by Wizuda. With less than 6 months before GDPR comes into full effect, the survey also found that over one third of Irish organisations have not yet started work on their GDPR compliance project with 26% indicating that other projects took priority. Majority of SMEs believe an audit is coming The survey showed that 69% of Irish SMEs consider themselves to be data processors. GDPR imposes direct statutory obligations on data processors, meaning they will be subject to direct enforcement and potential fines by the Office of the Data Protection Commissioner (ODPC) as well as compensation claims by data subjects. All data processors must now make available all information necessary to demonstrate compliance and allow audits to be conducted by the data controller. With the recent 56% budget increase given to the ODPC along with the prescriptive obligations data controllers must now place on data processors under GDPR, only 19% of Irish SMEs believe that they won’t be subject to a data protection audit in the next 18 months. Failing at the first email Wizuda’s research also revealed that, despite awareness of data privacy demands, 57% of organisations still use email to send personal data. This, Wizuda warns, greatly exposes organisations to a potential data breach or data audit failure. Furthermore, two in five organisations are using old in-house scripts to transfer data, making it difficult to demonstrate compliance when requested in an audit. "While it is worrying that less than two thirds of Irish SMEs have actually started their own project, it is good to see that 80% of those surveyed see IT as a major stakeholder in their GDPR compliance programme," said Danielle Cussen, Managing Director of Wizuda. "Both the OPDC and data controllers will be looking to ensure that all data processors are GDPR compliant, so we would expect the number of Irish companies planning for a data protection audit continuing to increase in the run-up to May 2018." Mike Ross, Commercial Director of Wizuda, added: "Don't wait. If you know of a high-risk area, address it now. The right technical solutions can put permanent fixes into place and make the first steps of GDPR compliance much easier."   Source: Wizuda.

Jan 05, 2018

Wizuda published its nationwide General Data Protection Regulation (GDPR) IT research and found that, although only 37% of companies have previously been subject to a data protection audit, 55% of companies think they will be subject to an audit in the coming 18 months. With less than 6 months before the GDPR comes into full effect, the survey also found that over a third of Irish organisations have not yet started work on their GDPR compliance project, with over a quarter (26%) indicating other projects were a priority. Wizuda commissioned Amárach Research to conduct a national research project across 175 organisations, investigating GDPR awareness, prioritisation and obligations. This study focused on SMEs and targeted IT decision makers ranging from IT Directors, Heads of IT, CIOs and CISOs. “Whilst it is worrying that less than two thirds of Irish SMEs have actually started their own project, it is good to see that 80% of those surveyed see IT as a major stakeholder in their GDPR compliance programme” said Danielle Cussen, Managing Director, Wizuda.  “Both the OPDC and data controllers will be looking to ensure that all data processors are GDPR compliant, so we would expect the number of Irish companies planning for a data protection audit continuing to increase in the run up to May 2018.”  An audit is coming  The survey showed that 69% of Irish SMEs consider themselves to be data processors. The GDPR imposes direct statutory obligations on data processors meaning they will be subject to direct enforcement and potential fines by the Office of the Data Protection Commissioner (ODPC), as well as compensation claims by data subjects. All data processors must now make all information necessary available to demonstrate compliance and allow audits to be conducted by the data controller. With the recent 56% budget increase given to the ODPC, along with the prescriptive obligations that data controllers must now place on data processors under GDPR, only 19% of Irish SMEs believe that they won’t be subject to a data protection audit in the next 18 months.

Dec 08, 2017

Come May 2018, all businesses within the EU will be required to implement the General Data Protection Regulation. Peter Bolger maps out what you can do to make sure your firm is compliant. Chartered Accountants Ireland has consistently been to the forefront in ensuring the profession it represents remains relevant to business needs in Ireland and abroad. From May 2018, Chartered Accountants in the EU will be required to incorporate new changes, set out in the General Data Protection Regulation (GDPR) and supplemented by the Data Protection Bill 2017 (which is still unpublished), in their businesses.  While the GDPR becomes directly applicable on 25 May 2018, one should be aware that it is already a final form law, having been passed by the EU legislators in 2016. The intention of GDPR finally becoming directly applicable in the EU is that it will lead to greater harmonising of data protection rights and obligations throughout the area.  This lead-in period facilitates awareness about changes GDPR introduces to privacy law and allows businesses to review and update their current policies and practices on processing of personal data so that these are compliant with GDPR, in so far as is possible, by next May. Contrary to much of the hype surrounding the regulation, one should remember it is not a once off event or test for compliance. The GDPR marks the beginning of an enhanced approach by lawmakers to individuals’ privacy rights where those individuals are situated in the EU. From 25 May 2018 onwards, businesses will be required to demonstrate ongoing compliance with these rights. This article focuses on some practical measures accountants in Ireland can take over the next six months to prepare their businesses for changes in data protection law.  Application of GDPR GDPR applies to organisations established in the EU that process personal data, either as a data controller or data processor. In practical terms, this applies to every organisation operating in the EU because of the wide meaning of “processing”. Processing essentially means anything that is done to, or with, personal data (including simply collecting, storing or deleting that data). The meaning of “personal data” is broader under GDPR than it is in Ireland under the Data Protection Acts 1988 and 2003 (DPA). GDPR adds identifying types of data to the definition of “personal data”:  “an identifier, such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”  The wider definition of personal data under GDPR reflects the significant impact of technological changes on individuals’ everyday lives. In fact, this is a primary principle underpinning GDPR; to make data protection rules fit for purpose, taking account of the vast technological developments over the last two decades. These changes in technology also extend to how organisations collect and store personal data. How to the prepare for GDPR Begin data mapping Accountants, whether practising in accountancy firms or acting as Chief Financial Officers in organisations of other disciplines, may be best placed as the ‘go-to’ person to commence a dialogue on coordinating the organisation’s data mapping. Data mapping is a practical prerequisite for any organisation to plan its GDPR compliance strategy. It involves identifying, understanding and mapping out the data flows into and out of the organisation. To be effective, the process requires information to be collated from all departments in an organisation. This is likely to necessitate the input of senior management and IT. As the data map evolves, you should be able to identify the flow of data, gaps in required contracts and consents for processing data under the GDPR, required impact assessments, risks in security measures and whether the organisation should appoint a Data Protection Officer (DPO). Review existing contracts and policies Accountancy firms should review their existing contracts with their customers and suppliers to identify whether the accountancy firm is the data controller or data processor of any personal data it processes under different contracts. The test of data controller or data processor will be determined by the factual matrix and not the terms the parties ascribe to the relationship in a contract. This involves identifying the different categories of data held by your business, the purpose for which you process it, the categories of data subjects, who you share the data with and on whose authority.  If an incorrect entity is designated data controller or data processor, it is recommended that the contracts are amended prior to May 2018 to ensure they reflect the provisions under GDPR. In many cases, accountants will be the data processors of their customer’s personal data but there may be circumstances where they will be joint data controllers. If this is the case, it is recommended further advice is sought.  Get new consents that meet GDPR standards The principle of consent is fundamental to GDPR. GDPR increases data controllers’ and data processors’ obligations to obtain an individual’s consent to process personal data as part of their business activities. GDPR provides, that where consent is relied on for a reason to process personal data, the consent must be “freely given, specific, informed and unambiguous”.  If your business currently relies on consent for processing personal data, double-check if the consent practices comply with the GDPR. Where possible, it is recommended that organisations rely on a different basis to consent, such as compliance with legal obligations or legitimate interests, for processing personal data. However, this exercise cannot be artificial. For example, if your business sends direct marketing material to clients, you will need fresh consent from each client to do this under GDPR. It is unlikely that direct marketing will be considered a legitimate business of an accountant’s practice. It will be important that consents are kept entirely separate from other terms and conditions related to your organisation’s offerings. It is equally important that you are able to demonstrate that the consent was freely given, clear, informed and required an affirmative action by an individual. It is likely that consent will require an audit trail to ensure that organisations’ consent processes can be independently evaluated.  Carry out Data Protection Impact Assessments GDPR makes privacy by design an express legal requirement. Accountancy firms typically have access to their client’s personal data during financial audits. The nature of audits, which may include special categories of personal data, akin to sensitive personal data under the current DPA, means it is highly likely accountants will have to carry out Data Protection Impact Assessments (DPIA).  A DPIA is a process for building and demonstrating ongoing compliance with GDPR principles and only mandatory when the processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. Depending on the circumstances, a DPIA may concern an organisation’s single processing operation, or a single DPIA may be used to assess multiple processing operations that are similar. This latter scenario may arise where the same technology is used to collect the same sort of data for similar purposes.  The Article 29 Working Party, the advisory body on GDPR, represented by the data protection regulator of each Member State, has issued guidance stating the rights and freedoms in question are not limited to privacy and may involve freedoms of speech, thought, movement, prohibition of discrimination and rights to liberty, conscience and religion. One or more of these rights may trigger an obligation to carry out a DPIA for a processing activity.  It is important to be aware that even in circumstances where your organisation is a data controller, and GDPR obligation to carry out a DPIA has not been met, the organisation is still required to continuously assess the risks created by its processing activities and be alive to situations where the obligation to conduct a DPIA is ignited.  Assess your organisation’s personal data security measures Data security has a prominent role in GDPR. Organisations in Ireland will be required to report personal data breaches to the Data Protection Commissioner. However, this obligation does not arise in all circumstances where there will be a breach. The notification obligation is triggered where the breach is likely to result in a risk to the rights and freedoms of individuals. As discussed above, the rights in issue are wider than data protection and privacy rights. GDPR also places obligations on data controllers to directly communicate breaches to affected individuals unless doing so would involve a disproportionate effort. The Article 29 Working Party has stated in its guidance that this risk exists where the breach may lead to physical, material or non-material damage to the individual whose data has been breached. This could be financial loss, identity theft, fraud and reputational damage. To mitigate against breach notification, GDPR also encourages data controllers to conduct a risk analysis of the security measures they implement to assure adequate personal data security. At a minimum, the GDPR requires these measures to include: The pseudonymisation and encryption of personal data; Ensuring the resilience of systems and services processing data Restoration of access to personal data in the event of a breach; and Frequent testing of the effectiveness of the security measures. In addition to being best practice, putting in place the security measures listed above is likely to remove the standard obligation to inform affected individuals. An organisation’s failure to comply with its data security obligations may result in a fine of up to €10,000,000 or 2% of its total worldwide annual turnover. It is much more cost effective for data controllers to review and upgrade their security measures, implement relevant industry best practices and develop and maintain data breach plans.  Decide whether to appoint a Data Protection Officer Under the GDPR, an organisation is only required to appoint a DPO where: It is a public body; It carries out large scale regular and systematic monitoring of individuals as part of its core activities; or It carries out ‘large scale’ processing of special categories of or data relating to criminal convictions and offences. ‘Large scale’ is said to include large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect many data subjects, and which are likely to result in a high risk. Most accountancy firms will not be required to appoint a DPO but may choose to do so. The appointment of the person to the role of a DPO should be undertaken with great care. GDPR does not list specific qualifications or credentials that a DPO should possess, but it does state that a DPO should be a person of high integrity, professionalism and have “expert knowledge of data protection law and practice” to be able to carry out his or her duties. The Article 29 Working Party has issued the following guidance for organisations on appointing a DPO:  In determining if a DPO is required, keep a copy of their analysis in their records as this assessment falls within the scope of its wider accountability obligations; Preferably, the DPO should be located within the EU; There can only be one DPO, but he or she can be supported by a team; and Senior managers including HR, marketing and IT individuals are barred from serving as the DPO. GDPR preparation will be a large undertaking for most businesses, but if they take the time to implement some practical data privacy measures before May 2018, ongoing compliance processes won’t be so daunting. Peter Bolger is the Head of Intellectual Property, Technology and Privacy at LK Shields.

Dec 01, 2017

Colm McDonnell, Partner and Head of Risk Advisory at Deloitte Ireland, shares his thoughts on the new General Data Protection Regulation (GDPR) and Network and Information Security Directive. GDPR has been described as a “game-changer” by Ireland’s Data Protection Commissioner. Why is it so important, in your view? With the introduction of GDPR next May, existing data protection laws will experience substantial changes in terms of scope and effect. The existing legislation, based on EU Directive 95/46/EC, was transposed by individual member states in local ways, which led to an ad hoc approach being taken across the European Union (EU). The new legislation means that the application of the legislation will be consistent across all member states and should make it easier for companies to conduct business EU-wide with a level of certainty as to their obligations. In addition, companies must be aware of how and why they use personal data as GDPR increases the right of individuals in relation to the privacy of information and how their information is processed by companies. With the implementation date of 25 May 2018 fast approaching, is Ireland prepared for this new legal framework? GDPR has been on the radar for a number of years and in that time, the Government and Data Protection Commissioner have engaged with stakeholders to ensure that Ireland meets the challenge of GDPR head-on. As Ireland is a knowledge-based economy, it’s imperative that the country is ready for 25 May 2018. Deloitte has been working with clients to ensure that they are fully aware of their obligations under the new framework and crucially, that they also have a strategy and process in place to manage the implementation of changes such as the introduction of Data Protection Officers. In the broader cyber environment, what will the Network and Information Security Directive (NIS Directive) do for cyber resilience in Europe? The NIS Directive is forecast for transposition by the Irish Government by May 2018. At this date, companies in industry sectors that are defined as belonging to a sector of national critical infrastructure will be defined. These organisations will be known as providers of operators of essential services (OES) and most of these organisations will already be in heavily regulated industry sectors such as telecoms, energy and transport for example. Such organisations will be subject to the oversight and reporting regime imposed by the NIS Directive. The NIS Directive is focusing on new requirements for network and information security for operators of essential services and digital service providers (DSPs) to provide for network security and business continuity in critical sectors. Essentially, the NIS Directive is ensuring a consistent EU-wide approach to business continuity in critical national infrastructure. As such, cyber resilience across all member states will be strengthened with this new Directive. What roles can finance professionals, such as Chartered Accountants, play in such projects? And should they lead the charge? The implementation of such projects involves knowledge of EU legislation, an understanding of requirements per organisation, seamless integration into daily business operations as well as realising the new opportunities that GDPR and the NIS Directive will bring to business in Ireland. Professional staff, such as Chartered Accountants, are uniquely positioned – as a result of their industry knowledge, professional experience and client focus – to help steer organisations through times of change. As such, a Chartered Accountant is ideally placed to lead the implementation of GDPR and NIS Directive projects for their organisations. If GDPR is still on a firm’s to-do list at this stage, what advice would you give them? Given the time-frame for implementation, I would advise that such firms not panic. Rather than approaching this as a stand-alone project, I would suggest engaging the services of service providers who have the knowledge, expertise and skills to help such a firm meet the challenges of GDPR on time and to meet its regulatory obligations.   Colm McDonnell is a Partner and Head of Risk Advisory at Deloitte Ireland.

Aug 11, 2017

With less than 10 months to implementation, General Data Protection Regulation should be high on the agenda of every business and board. After many years of negotiation, the General Data Protection Regulation (GDPR) was adopted into European law in May 2016. This new cybersecurity and data protection legislation will affect customers in Europe and also, those around the world who do business with Europe-based companies. It is important to point out that most of the articles in the regulation already appear in the legislation of individual countries. The aim of GDPR, however, is to harmonise data privacy laws across Europe and create a level playing field. EU companies now have until 25 May 2018 to implement and conform to the new regulations, or face large fines. So if you have not considered GDPR thus far, now is the time to act. A parallel directive affecting the processing of data by law enforcement authorities was agreed at the same time as GDPR, so the EU authorities are clearly taking a serious stance on this topic. However, recent surveys of Irish firms concluded that many are significantly unprepared for the new EU data protection law, with over half of organisations surveyed unlikely to detect a sophisticated attack. In this article, we will provide you with strategies and ideas to implement in your own company as you work towards achieving compliance. Major knock-on effects GDPR brings significant changes to how firms must handle and process personal data. Your organisation’s existing processes – which may include collection, retention and deletion, general inputting and so on – must be revised so that they comply fully with the new data protection rules, which are stricter than ever before. When legislation of this nature is announced, one can take a benevolent or malevolent view of the task at hand. If you take a malevolent view, you will see it as more bureaucracy, more cost and so on. If you take a benevolent view, on the other hand, you will view GDPR as a fantastic opportunity to tidy up your data, reconnect with your customers and build better and more solid relationships. Let’s take the benevolent view and state that, first and foremost, GDPR is for all EU data subjects and their protection. Customer data belongs to customers and GDPR makes this clear. You might provide data to a company, but this does not mean that they now own it. They merely borrow it and under GDPR, they will need to protect and explain more clearly why they have it. Your organisation’s internal governance processes should now be reviewed and, more than likely, altered ahead of the GDPR implementation date. For example, if you process data, new data governance obligations will apply and records of how you prepare and keep records of processing activities will come into force. You will also be required to demonstrate how decisions to use data for further processing are reached. Transparency will be more important than ever before. Personal data must therefore be processed in a transparent manner (i.e. collected for explicit and legitimate purposes), limited to what is necessary in relation to the purposes for which they are processed, and must be accurate and kept up-to-date. New rights for data subjects A data subject is the living person to whom personal data relates. Under GDPR, data subjects will have far more control over their personal data and, quite significantly, the right to be forgotten. This means full erasure of their personal data. Data subjects will also have the right to data portability (i.e. the ability to obtain and reuse their personal data for their own purposes across different services) and, if they require more information on their data, organisations must make it easy to request such data and provide a comprehensive response within one month from the date of request. All of this will inevitably lead to a major increase in the administrative burden for organisations, and that burden will be particularly onerous for those companies who store data on paper. New responsibilities First and foremost, consider your new responsibilities from the perspective of protecting people’s digital data. Data protection is not linked to a specific technology, and GDPR is principle-led for the protection of EU data subjects in general. A new concept of joint liability for both data controllers (the entity that determines the purposes, conditions and means of the processing of personal data) and data processors (the entity that processes personal data on behalf of the controller) will come into force under GDPR. The data processors will be jointly liable to data subjects for damages unless they can prove, for example, that a data breach was not their fault. Punishment for breaches will not be extreme and will be related only to how sensitive the data is that you hold, and what steps you have (or have not) taken to protect it. The implication here is that previous contractual obligations may need to be revised and new contracts will require appropriate stipulations. Data controllers will have far more responsibility to provide accurate information on how data is processed. They will, for example, be obliged to detail the retention period for the data and provide information about the legal basis for data processing. So, it isn’t only data controllers who will need to maintain records of their processing activities; data processors will as well. ‘Data protection by design’ is a new phrase in the data protection lexicon. It means that, in each element of designing or compiling a new data-based solution, organisations must demonstrate that the rights of the data subject were considered through encryption or pseudonymisation, for example. Where a security breach occurs, new notification procedures must be enacted. For instance, data processors must report breaches to the data controller. Data controllers must also report security breaches to the country’s supervisory authority without undue delay and no more than 72 hours after becoming aware of it. Furthermore, privacy impact assessments will be required when firms wish to undertake certain types of personal data processing. Transfer of personal data Transfer of personal data provisions remain largely the same as was outlined in the previous Directive. However, data transfers under the mechanisms of ‘safe harbour’ are no longer permissible. The EU/US Privacy Shield agreement was adopted by the European Commission in July 2016 and contains far more stringent rules than the previous ‘safe harbour’ agreement. It will, for example, offer more channels for the data subject to seek redress. Next steps To get your preparations under way, we suggest that you: • Identify the areas of your business that may be impacted by GDPR; • Seek help to design, develop and implement solutions in line with data privacy requirements. You should also take operational, IT and information security perspectives into consideration; • Design systems to detect, address and prevent security breaches through integrated hardware and software solutions. This should include the discovery and classification of sensitive data, vulnerability assessment, activity monitoring, quarantining, the protection of sensitive data and so on; • Ensure that you are compliant in how you process personal data through your internal governance processes and how you keep track of reporting data breaches; and • Design governance structures to build confidence in the way your data is explored and managed, particularly for unstructured data. A force for good The GDPR preparation period is a great time to review your data – not just for the purpose of GDPR, but for business development reasons also. Ask yourself: do you really know your customers? Can you help improve their relationship with you, so that you better meet their needs while protecting the information they have given you? Consent and general usage of personal data must be assessed no matter what. That said, you can turn this requirement into a force for good and build much greater trust with your customers and employees in the process. Look outside Your organisation may need to employ outside expertise to build internal capabilities, next generation threat intelligence systems, and enterprise monitoring and security operation centres. Ask yourself if your company has a robust plan for the management of security incidents. If you are not confident, now is the time to assess that risk and implement the appropriate security measures that will allow you to deal with incidents within your own firm. Conclusion Europe’s new regulatory environment for cybersecurity and data protection is less than a year away. This will offer both opportunities and challenges, ranging from improved governance to securing application and infrastructure. In a globalised and more interconnected business world, being able to navigate the regulatory environment of the future will be a critical success factor for practically all businesses. Your ability to deploy the appropriate security and data protection controls and procedures in a way that can be rapidly demonstrated is now a matter of good governance. The clock is ticking, so there’s no time to lose. Billy O'Connor is Managing Director at The Discovery Partnership and a registered IBM Business Partner.

Aug 02, 2017

The EU General Data Protection Regulation (GDPR) is the most significant piece of data protection legislation to be passed in the history of the European Union, according to the team at Ronan Daly Jermyn. "What’s really catching the headlines is the new top-end fine, to give an example, the higher-tier provision will result in a maximum fine of up to 4% of a company’s preceding year’s global, worldwide turnover or €20 million, whichever is greater. Compare that to the existing law where the maximum penalty applicable to most companies is €100,000," said Bryan McCarthy, Head of Ronan Daly Jermyn's Cyber and Data Protection Group. GDPR will come into force on 25 May 2018 and will result in a significant overhaul of the existing European Data Protection regime. It will repeal and replace the current Data Protection Directive (94/46/EC), which forms the basis for the current Irish legislative framework, being the Data Protection Acts, 1988 and 2003. The changes contemplated by GDPR will place significantly more obligations on organisations and give more rights in favour of individuals. Ronan Daly Jermyn has compiled a list of the 10 key changes to the current Data Protection framework all organisations need to be aware of. To read more, click here.

May 26, 2017
The Data Protection Commissioner (DPC) has also issued some very useful pieces of guidance for readers based in the Republic of Ireland ( and ) , as has the Information Commissioner’s Office (ICO) for those based in the UK and Northern Ireland ( Members are, therefore, advised to regularly check the CAI, DPC and/or ICO websites for the latest information and guidance in this area.