17 July 2024

Irish businesses continue to face compliance challenges with GDPR six years on

Pictured from left to right: Liam McKenna, Partner at Forvis Mazars; Graham Doyle, Deputy Commissioner of the Data Protection Commission Ireland; Amy Brick, Partner; and Paul Lavery, Partner.

The research conducted by Ipsos B&A found that just 15% of businesses consider their organisation to be ‘fully compliant’ with the legislation, which is billed as the toughest privacy and security law in the world. A further 58% of respondents indicated their organisation was ‘materially compliant’, and 25% say their organisation was ‘somewhat compliant’. In order to achieve their compliance targets, half of the businesses surveyed believe they need more resourcing, financial investments or further expertise in this space.

The research also found that 82% of respondents believe the risks associated with GDPR non-compliance are increasing, with respondents citing ‘reputational risk’ as the most important factor in determining an organisation’s data protection risk appetite, followed by ‘fear of fines’. Eight in 10 (81%) of the businesses surveyed say they intend to improve their compliance status.

This is the eighth edition of the McCann FitzGerald LLP and Forvis Mazars annual survey on the impact of GDPR on organisations in Ireland. As well as examining the latest perceptions among Irish businesses regarding GDPR compliance, the report also assesses awareness and readiness for a wave of new legislative developments from the European Union in response to rapid technological changes.

Findings show that 60% of those surveyed are concerned about the impact of new digital legislation on their organisation, which includes DORA (the Digital Operational Resilience Act), the AI Act, the Data Act, the Data Governance Act, the Digital Services Act, the Online Safety and Media Regulation Act, the Digital Markets Act, the Network and Information Security Directive 2 (NIS2) and the Cyber Resilience Act. There is also a high degree of uncertainty regarding the new legislation with many respondents being unsure of their applicability to their business, which suggests further education and awareness is required within organisations.

Key Findings:

• 82% of respondents agree that the risks associated with GDPR non-compliance are increasing, up from 70% in last year’s survey.
• 81% of respondents intend on improving their compliance status.
• 59% of respondents are concerned about the prospect of being fined for GDPR non-compliance, compared to 58% in last year’s survey.
• 47% of respondents agree that working to comply with GDPR has delivered many benefits for their organisation, up from 34% last year.
• Over half of the respondents (52%) say that the CEO of their organisation is strongly engaged in GDPR compliance and data privacy, compared to 50% in 2023.
• Six out of 10 respondents are concerned about upcoming digital legislation.
• 63% of respondents indicated that the AI Act will apply to their organisation.

Commenting on the report, Paul Lavery, Partner at McCann FitzGerald LLP, added: “The effectiveness of the GDPR as one of the toughest data privacy laws in the word is perhaps evidenced by the fact that organisations are still actively working on improving their compliance six years on. It is much more than a tick-the-box exercise and staying on the right side of these complex requirements will require ongoing attention and focus by Irish organisations.

The good news is that this experience will serve businesses well as they prepare for new legislation coming down the track from the European Union. Legislating for rapidly changing technologies such as AI is no easy task, and we can expect regulations around data, AI, cyber resilience, information security and digital services to continue to evolve in the coming years.”

Liam McKenna, Partner in Consulting Services at Forvis Mazars, said: “This survey underscores the essential need for organisations to remain up to date with both current and forthcoming regulations in the digital space. Irish businesses must diligently maintain their compliance initiatives, particularly amid the significant financial and reputational risks at stake.

“Although GDPR regulations were implemented in 2018, that only 15% of Irish companies are fully compliant is a concern for Irish business, particularly in light of further digital legislation coming down the tracks including the Digital Operational Resilience Act (DORA), AI Act, Data Act, and Digital Services Act, among others. Irish companies therefore need to urgently focus on GDPR adherence, while actively gearing up for new legislative requirements.”