With a year to go to the introduction of strict new European-wide rules on data protection, just 14% of small and medium businesses have begun preparing for it, according to a new survey by Amárach Research.
The survey, carried out on behalf of the Office of the Data Protection Commissioner, found that over a quarter of businesses do not know when they will be getting ready for the introduction of the General Data Protection Regulation.
Just over two thirds of small and medium sized firms say they have heard of the regulation, although a similar percentage did not know it will take affect 12 months from now.
83% were not able to say what changes the General Data Protection Regulation would mean for their business.
The survey of 500 businesses also found that 67% of companies have yet to carry out an assessment of all the personal data they hold.
"The GDPR is a game-changing overhaul of our current data protection laws," said Data Protection Commissioner Helen Dixon.
"It will impact every type of company and organisation regardless of their size and require many of them to take significant action well before 25 May 2018."
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
More than half of those surveyed said they have still to assess why they hold personal data and nearly two thirds said they had not assessed how long they needed to keep this data.
The Office of the Data Protection Commissioner has launched an awareness campaign to highlight the looming introduction of the new rules and a 12-step guide to readiness.
More details of what businesses should be doing to prepare are available at GDPRandYou.ie.
The General Data Protection Regulation will strengthen rights that individuals have to control their own data, including the right to basic data portability.
Any organisation that processes personal data needs to ensure it is properly protected against loss, theft and unauthorised access, with a mandatory reporting to the supervisory authority within 72 hours in the case of a breach.
The GDPR allows regulators to impose heavy sanctions of up to €20 million or 4% of total annual worldwide turnover for the most serious of breaches.
"GDPR represents an evolution in data protection rights and obligations, but a revolution in terms of the burden and potential sanctions for non-compliance," said Paul Lavery, Partner and Head of Technology and Innovation Group, McCann FitzGerald.
"All companies need to start getting ready for GDPR as soon as possible, as the consequences for non-compliance will include large fines and even proposed personal liability for directors."
"For businesses the potential damage to reputation may be even more dissuasive than any fine."
