What GDPR Means in Practice for Irish Business

The General Data Protection Regulation (GDPR) is a European directive aimed at ring-fencing consumer data against illegal or unnecessary access. There is nothing to discuss or debate with local politicians, or the Irish Data Protection Commissioner for that matter. As a European directive, it has over-riding power. To obtain an English version, please visit this link, and select ?EN? from the table of languages.

As you reach for your tea, coffee or Guinness after sighting it, you will be glad to know the Irish Data Protection Commissioner has the lead in turning this into business English we understand. The following diagram should assist you to obtain a quick overview of the process we all have to go through. In this article, we briefly describe what is inside Boxes 1 to 12. The regulation comes into force on 25 May 2018 so we have less than a year to get ready.

The 12 Essential Steps to Implementing the General Data Protection Act

1. Create awareness among your people of what is coming their way. The GDPR has given our regulator discretion to dish out fines up to ?20,000,000 (or 4% of total annual global turnover, whichever is greater) so there is determination to make this happen.

2. Become accountable by understanding the consumer data you hold. Why are you retaining it, how did you obtain it, and why did you originally collect it. Now you know it is there, how much longer will you still need it? How secure is it in your hands, have you ever shared it?

3. Open a communication channel with your staff, your customers, and anyone else using the data. Share how you feel about how accountable you have been with the information in the past. Explain how you plan to comply with the GDPR in future, and what needs to change.

4. Understand the personal privacy entitlement of the subjects of the information. They have rights to access it, correct mistakes, remove information, restrict its use, decline direct marketing, and copy it to their own files. What needs to change in your systems to assure these rights?

5. Issue a policy for allowing consumers access to their information you hold. You must process requests within a month, and you may not charge for the service unless your cost is excessive. You may decline unfounded or excessive demands within your policy guidelines.

6. Adapt to the requirement that you must have a legal basis for everything you do with, and to consumer data. You need to be in a position to justify your actions to the Irish Data Protection Commissioner in the event of a complaint. Having a legitimate interest is no longer sufficient.

7. Ensure that consumer consent to collect, use, and distribute their data is ?freely given, specific, informed, and unambiguous.? From 25 May 2018 onward, this consent will be your only ground to do so. You cannot force consent. Your benchmark becomes what the GDPR says.

8. Issue rules for managing data of underage subjects. This is currently under review and we are awaiting results. Put systems in place to verify age. Set triggers for where guardians must give consent. Make sure age is verifiable. Use language young people understand.

9. Introduce a culture of openness and honesty, whereby breaches of the GDPR are detected, reported, investigated, and resolved. You will have a duty to file a GDPR report with the Data Protection Commissioner within 72 hours, thus it is important to fast track the process.

10. Introduce a policy of conducting a privacy assessment before taking new initiatives. The GDPR calls for ?privacy by deign?, and we need to engineer it in. This may be the right time to appoint a data controller in your company, and start implementing the GDPR while you have time.

11. You may also need to appoint a data protection officer depending on the size of your business. Alternatively, you need to add managing data protection compliance to an employee?s duties, or appoint an external data-protection compliance consultant.

12. Finally, and you will be glad to know this is the end of the list, the GDPR has an international flavour in that multinational organisations will report into the EU Lead Supervisory Authority. This will manage the process centrally while consulting national data authorities.

The GDPR is a project we all need to complete. If we are out of line, it is in our interests to get things straightened out. Once everything is in place, the task should not be too onerous. Getting there could be the pain.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

  • Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
  • Companies with revenues between $1B – $4.9B spent about 0.16%
  • Companies with revenues between $500M – $999M spent about 0.27%
  • Companies with revenues between $100M – $499M spent about 0.53%
  • Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?

Measure it to manage it with smart meters

Measure it to manage it. This saying applies perfectly to energy management. Effectively managing energy use is virtually impossible with unreliable measurement devices in place or worse still, no measurements at all. Smart meters are a smart way to measure energy and water usage giving you more control over the amount of energy or water usage.

Smart energy meters:
Smart meters are indeed a smart way to get insight into your energy use which brings more security and a better environment. They can also enable you to get Smart Energy Reports that are a personalised guide to energy efficiency.

Other benefits of smart meters:

? You are able to generate simple graphs and charts showing you where you use your energy and money

? Consumption of gas and electricity is broken down. This implies that one can be able to view their spending at a glance

? Smart meters track consumption on a monthly basis enabling you to compare your own consumption against other similar households

? By tracking energy consumption and spending over time, one can be able to view the history and assess the impact of their energy efficiency measures over a particular period

Smart water meters:
Smart meters are not only used for measuring energy use, they are also used to measure water usage efficiency. Water efficiency is essential for management of sustainable water resources.

Water resources have been diminishing over time posing a challenge for water users and water suppliers to seriously look for ways to manage water efficiency. The need for accurate, adequate and reliable measurement and monitoring practices of water consumption in organisations can therefore not be overlooked.

Timely collection and analysis of water use data, and relaying this data in a timely manner to the water user, can result in significant changes in water use behaviour. Other benefits include instant detection of areas where water wastage is occurring e.g. leakages hence action is taken to save water. Similar to energy data, water data collected by smart metering systems is also vital in designing water efficiency and recycling systems as well as the improvement of demand management policies and programs.

The use of smart meters to monitor water consumption enables users to analyse, and interpret the data collected. This feedback enables users to change their behaviours.

Energy Management Tips

Energy management is of interest to various stakeholders; be it heads of facilities, heads of procurement, heads of environment and sustainability, financial officers, renewable energy managers and heads of energy. Some of the energy management tips that can be used to achieve considerable energy savings are:

1) Purchasing energy supplies at the lowest possible price

2) Managing energy use at peak efficiency

3) Utilising the most appropriate technology

1. Purchasing energy supplies at the lowest possible price
Purchasing energy supplies at the lowest possible price could be the starting point to great savings of energy costs. This can be achieved through switching your energy supplier. It is always advisable for companies to always take time to compare the energy tariffs to ensure they are on the best tariff and make great savings.

2. Managing energy use at peak efficiency

(a) Free help

There are some online tools that offer energy-efficiency improvements. These could come in handy in helping someone find out where to make energy-efficiency improvements.

(b) Energy monitors

An energy monitor is a gadget that estimate in real time how much energy you’re using. This can help one see where to cut back on energy consumption.

(c) Turning down thermostats

Turning down radiators especially in rooms that are rarely used/empty rooms or programming the heating to turn off when no one is there can go a long way in saving energy and energy costs.

(d) Use energy saving bulbs

Use of energy-saving light bulbs can cut down on energy usage drastically. Replacing all the light bulbs with energy-saving ones could make significant savings on energy usage and replacement costs since energy saving bulbs also have a longer life.

(e) Switching off unnecessary lights

It is also important to switch off lights that are not in use and to use the best bulb for the size of room.

(f) Sealing all heat escape routes

It is recommended that all gaps should be sealed in order to stop heat from escaping. Some of the heat escape routes are: windows, doors, chimneys and fireplaces, floorboards and skirting and loft hatches. The ways through which this can be achieved are:

? Windows- use of draught-proofing strips around the frame, brush strips work better for sash windows

? Doors – use of draught-proofing strips for gaps around the edges and brush or hinged-flap draught excluders on the bottom of doors

? Chimney and fireplace – inflatable cushions can be used to block the chimney or fit a cap over the chimney pot on fireplaces that are not used often

? Floorboards and skirting – Using a flexible silicon-based filler to fill the gaps

? Loft hatches – the use of draught-proofing strips can help to prevent hot air escaping
It is also important to consider smaller holes of air such as keyholes and letterboxes.

3. Utilising the most appropriate technology
Utilisation of technology as an energy management tool can be by way of choosing more energy efficient gadgets and by way of running technological gadgets in an energy efficient manner.

Ready to work with Denizon?

Contact Us Today