Wednesday 18 October 2017

Watchdog warns of reputational risk for firms

Irish data protection law expert Emerald de Leeuw. Photo: Gerry Mooney
Irish data protection law expert Emerald de Leeuw. Photo: Gerry Mooney

Simon Rowe

Failure to comply with incoming EU regulations on data protection will cost Irish firms dearly in terms of punitive fines that will be imposed by data regulators. But the ensuing reputational damage from data breaches may be even more damaging.

That was the warning issued by Ireland's Data Protection Commissioner, Helen Dixon at the INM Datasec conference in the RDS in Dublin last week.

In a keynote address, Ireland's data watchdog provided 250 delegates with an update on the upcoming General Data Protection Regulation (GDPR).

"To do nothing ahead of May 2018 is not an option, because there will be consequences to pay - and the consequences will be very significant for any organisation, whether they are public or private," said Dixon.

"The GDPR is a game-changing piece of regulation and cannot be ignored.

"Any loss of trust and confidence on the part of consumers in the digital economy will mean jobs and growth potential will fail to be realised," she added.

Dixon said that European data protection regulators are acquiring massive new administrative fining capabilities under the GDPR (up to €20m or 4pc of global turnover of an undertaking in the case of certain infringements) in addition to powers to impose a variety of sanctions aimed at protecting this fundamental right.

"And, of course, it's worth bearing in mind that the quantum of the administrative fee may not be the biggest hit a company takes when they contravene the legislation," she said.

"It may be the publication of the fact of the fine and the reasons for it on the regulator's website that causes the greater damage for a company in terms of reputational damage."

Irish data protection law expert Emerald de Leeuw told delegates that Ireland will be at the centre of a legal battleground when it comes to international disputes over privacy law due to its status as European's data centre hub.

De Leeuw also warned companies to be aware of their potential legal liabilities under the GDPR regime.

Dixon said the new regulatory regime will lead to an "enhanced right of civil action on the part of data subjects where they can pursue controllers and processors for compensation even where they haven't suffered any financial loss". "This change in the law under GDPR where distress or humiliation for example could ground an action by an individual is likely to lead to far greater direct pursuit of organisations by data subjects than we have seen heretofore," she said, adding that the new regime had transformed her office.

"The GDPR is requiring a transformation in the size, skills, structure and powers of the Irish data protection authority, as it will in the case of most of the other European data protection regulators," she said.

"The Government has recognised a need to fund a strong and independent regulator in Ireland and the budget of the office has quadrupled in the last three years.

"We've more than doubled our staff numbers in that time to over 65 staff with an additional 30 staff to be recruited in 2017 and we've moved to a new premises in the centre of Dublin."

Other speakers at last week's INM conference in the RDS, opened by Minister for Communications Denis Naughten, included cyber security strategist Joseph Carson, Mark Adair, partner at law firm Mason Hayes Curran, Daragh O'Brien, chief executive of Castlebridge and Alan Curley, privacy manager at Johnson & Johnson.

Sunday Indo Business

Also in Business