Preparing for new data protection regulation

The all-island electricity industry is gearing up for the EU General Data Protection Regulation (GDPR), which comes into force in May next year.

EAI Associate Member and Irish law firm Matheson recently hosted a breakfast seminar for representatives of the electricity industry on the island of Ireland to learn more about what the GDPR entails.

Chris Bollard, Partner, Innovation and Technology, at Matheson said: “The GDPR introduces potentially severe regulatory fines for breach of privacy laws. Non-compliance also brings the threat of reputational harm. While the basic principles of data protection law have not changed fundamentally, data subject rights have increased and the powers of supervisory authorities have also increased.”

The GDPR will replace existing EU and national data protection legislation in order to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy. It will also reorganise the way organisations across Europe approach data privacy.

The new regulation includes mandatory data breach reporting, which means that companies based in Ireland will be obliged to notify the Data Protection Commissioner (DPC) within 72 hours of becoming aware of a data breach (companies based in Northern Ireland are advised to refer to guidance from the Information Commissioners’ Office).

Organisations in non-compliance could face fines of up to €20 million or 4% of global turnover, whichever is higher. There’s also the potential for data protection audits/inspections.

Matheson has provided a series of good practice steps that companies can take now to help ensure compliance:

  • Conduct data audits – understand where European data is coming from, the basis of collection and the purpose it is being used for
  • Think about whether you need to appoint a Data Protection Officer
  • Revisit crucial vendor/supplier agreements to ensure that data protection is dealt with
  • Educate the key internal stakeholders, for example HR, IT, Marketing, C-Suite.

In thanking Matheson for hosting the event EAI CEO Owen Wilson said: “The all-island electricity industry is fully aware of the increasingly important role that data can play in terms of harnessing the benefits of technology and helping to unlock the power of the consumer. Yet it remains sensitive at all times to the privacy of individuals. At EAI we place huge importance on providing information sessions like this so that our Members become even more aware of how they can manage and protect data.”

Chris added: “Ultimately compliant companies will be rewarded – they are the companies to which people will be willing to entrust their data or do business with.”

The enforcement date for the GDPR is 25 May 2018. Further information on the regulation is available from the Data Protection Commissioner.

The Matheson presentation from this event is available to EAI Members.