We use cookies to improve your experience on this website. Read More Allow Cookies

Getting to grips with GDPR

Posted on: 01 Jun 2021

Just over three years after the introduction of the EU’s General Data Protection Regulation, many business owners are still at sea – but with fines of up to €20m or 4% of turnover on the table, it’s important to get it right. We take a look at how Irish businesses have been affected, and what help is available to keep your organisation compliant. Morgan Stokes reports.

 

On May 25, 2018, the EU’s General Data Protection Regulation came into force across the Union, bringing with it a sense of relief for legal professionals and digital security workers alike. Angelique Carson, Director of Content at data privacy platform Osano, compared it to Y2K in the company’s newsletter, “[but] like Y2K, reality doesn’t align with the expectations”.

Of the many criticisms levelled at GDPR, its complex nature is right at the forefront. Small business owners scrambled to keep up with the changes, and as of last year, many Irish organisations were still uncertain on their data protection procedures – a McCann FitzGerald and Mazars survey published in 2020 found that only 8% of participating organisations believed that they were fully compliant with GDPR.

That isn’t to say that Irish businesses aren’t trying; 69% of those surveyed carried out regular reviews of their practices. The figures make it clear that some guidance is still needed, and retailers and suppliers pushed to embrace eCommerce by the pandemic may also be unfamiliar with regulations around areas like cookies, website privacy policies and electronic mailing lists.

An unfair burden?

Another charge often levelled at the law is the unevenness of its application, with initial GDPR champion and former EU justice chief Viviane Reding leading calls for revision this May. There is a general perception that regulators are finding it easier to enforce the Regulation against small concerns than against the large tech companies that are believed to be the worst offenders.

Irish organisations are certainly feeling the strain; the McCann Fitzgerald and Mazars survey found that 62% of participants felt that GDPR regulations caused them an undue administrative burden.

Customers do care

Problems or not, as of now, it is essential that businesses comply with the law. Not only are the fines prohibitive, but customers are also showing significant sensitivity when it comes to the way their personal data is handled.

Possibly the biggest and most unexpected change since the introduction of the law is increased awareness among the public of their rights; Carson notes that almost every major newspaper now has a privacy reporter. The Data Protection Commission’s annual report for 2020 showed that 4,060 complaints were made under GDPR that year.

Keeping up with cookies

2020 saw a major change in the privacy landscape – the Data Protection Commission resolved to crack down on cookies. The organisation conducted a major review of cookies on various websites (the infamous ‘Cookie Sweep’) in late 2019 and early 2020, looking for violations of GDPR and Irish privacy law, and began enforcement in October 2020 after a six-month grace period for compliance.

Cookies are small files found on websites that remember user behaviour. Some are essential for websites to work - for example, identifying users when they log in or managing traffic over a network, or remembering what customers have put in a shopping basket - while others track user behaviour in a way that can be seen as unnecessary.

Cookies can be divided into two categories: first party and third party. First party cookies cookies give user information to you. Aside from the strictly necessary examples given above, they can also give you information on who is using your website and how; these are analytics cookies.

Third party cookies give information about your site users to others. This can be a tracking pixel placed by an online advertiser on your website, but there are less obvious examples; if you have a button on your site that allows users to share your content to their social media page, their data can be sent from your site to the social media site in question.

Your website users need to consent to every category of cookie you use. This needs to be explicit and not implied; you can’t put up a banner that says that they accept the use of cookies by browsing the site, for example. You also can’t ‘nudge’ users to accept cookies by having boxes ticked, or having your ‘Accept’ button be larger than your Reject button.

A full breakdown can be found on the Data Protection Commission’s website.

What help is available?

Fortunately, there is information out there to help small businesses become aware of their rights and responsibilities.

The Small Firms Association has created a number of guides and webinars, designed as a practical resource which breaks GDPR down into its component parts and to break down what exactly is relevant for small business owners. 

Local Enterprise Offices around the country have designed easy to follow guides aimed specifically at small businesses.You can get in contact with one in your area or check out their online training materials.

The Data Protection Commission, of course, has information freely available on their website. While much of it can seem dense and overwhelming, they do have a range of more user-friendly resources, including a podcast.

However, it is important to note that none of these guides constitute legal advice, and with so much to consider, you may be better off hiring a professional, particularly if you have a lot of employees who require training. Look for legal firms that specialise in privacy, or companies that can handle reviews, training and implementing digital changes.