Marie Murphy
One of the big trends we noticed towards the second half of 2019 was the number of prospective clients coming to us to get help because they had come to the attention of the Data Protection Commissioner. These were almost always well-meaning people and organisations – who weren’t deliberately ignoring the law but instead had put it on the long finger.
We weren’t hearing the “whole load of red tape, designed to kill business” mantra of those who are dragged kicking and screaming into the realisation that with great power over people’s personal information comes great responsibility.
This time we were meeting people who knew they should be doing something but never quite got around to it. The inertia of not knowing where to start, of being busy with the pressing daily demands of running a business and frankly a bit of fear of the unknown was holding them back.
Usually they came to the attention of the DPC because of a security breach – either in their own systems or one of their processors. In all cases, their interaction with the DPC was more protracted and more intense because they weren’t prepared.
When we report a breach on behalf of one of our clients – which I can assure you is a very regular occurrence – we may have one or sometimes two follow-up emails confirming committed actions have been taken. From what we see, companies who are unprepared often end up engaging with the DPC for 3-6 months and committing to a pretty steep schedule to get corrective actions in place.
Depending on the incident, the DPC may ask to see an organisation’s privacy policy (the internal policy document, not the customer facing privacy statement), their Technical and Organisational Measures(TOMS) or their Record of Processing Activities(ROPA), retention schedule, processes for responding to data subject rights or security incidents. It’s not an easy conversation to admit to not having any of the requested artefacts in place.
It gives the wrong impression of the business for one thing. Most businesses care about their customers and would not deliberately set-out to cause harm or embarrassment to them but for some reason they draw a blank when it comes to their customers personal information which if not handled with due care could cause their customers considerable harm or embarrassment.
So this year, let your business New Year Resolution be a simple one – stop putting your data protection obligations on the long finger, start treating your customers personal information with the same respect you treat your customers and be prepared for the day you may need to come into contact with the Data Protection Commission.
The great irony of course being that the more prepared you are, the less likely it is that you will need to engage. As Benjamin Franklin said, “By failing to prepare, you are preparing to fail.”
Happy New Year to all our clients, colleagues and friends.
Fort Privacy offers short term engagements (starting from 6 months) to help businesses get their core data protection program in place. We equip our clients with the artefacts and the knowledge they need to ensure their ongoing compliance efforts are robust and well informed and we provide ongoing support on demand.]
Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!
Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.
Continuing the tradition of the Fort Privacy Christmas blog this year we are thinking about Santa and AI. Well, we need to keep these articles topical after all!
