Tag: #ACOI

On the 3rd Anniversary of GDPR: 46% of businesses admit they still struggle with GDPR regulation #GDPR #ACOI

More than 4 in every 10 Irish businesses are still struggling with elements of GDPR in their day-to-day operations three years after its introduction.  This is one of the primary findings of the latest nationwide survey from the Association of Compliance Officers in Ireland (ACOI). The survey of over 300 organisations, answered by ACOI members with responsibility for compliance in financial organisations throughout the country, was released in tandem with the third anniversary of the introduction of the EU wide regulatory system for data control and privacy. The survey found that while two thirds of organisations are fully or almost fully compliant, another third of firms have yet to reach that level.

Speaking of the findings, Michael Kavanagh, CEO of ACOI, commented,

“It’s encouraging to find that everything is ‘running smoothly’ for 54% of businesses in their GDPR operations and control. This is certainly something to be lauded, as implementing the code has proved a complex and often time-consuming task for many. Which is why it’s concerning, but perhaps unsurprising, to find the remaining organisations that participated in our survey (46%) are still struggling, despite being three years into the regulations. This raises questions around whether or not businesses feel they have enough support in this area? And more importantly, is there more that can be done to help companies struggling in this regard?”

GDPR regulation requires businesses to protect the personal data and privacy of EU citizens for transactions occurring within EU member states.

Mr. Kavanagh commented,

The survey reveals that a quarter of businesses are “fully compliant” with the regulations. This means they have successfully implemented all the measures required and that they have limited their exposure to regulatory penalties. A further 42%, the majority of respondents, were “almost fully compliant”, meaning they still have elements to work on in terms of their exposure to penalty. This could be in an area of accountability and governance they have overlooked, or it could be to do with privacy rights, or data security.  31% agreed that they were “somewhat compliant”, but that gaps remained. 

To any companies that may overlook their compliance in this critical area of business, or indeed who may have let their systems lapse owing to pressures in other areas of operations, we would advise them to rectify the issues as soon as possible, because EU regulatory bodies have, and will inflict heavy penalties on companies that do not adhere to  the required GPDR standards.”

COVID & GDPR

The ACOI survey also found that almost 4 in 10 businesses believe GPDR would make it very difficult for businesses to collect and collate employee health and vaccination data.

Mr. Kavanagh went on to say,

Like most things, COVID will have implications for GPDR and vice versa in terms of collection of employee health and vaccination data. It is  evident from our survey that if employers were to gather this data, many employers feel that GDPR could hamper their efforts – so consideration would have to be given to this area”.

Mr. Kavanagh concluded,

We would encourage business owners to make full use of the various supports and resources available to businesses to help them in this area, which range from online GDPR checklists to compliance professionals which can audit your GDPR compliance, improve systems, and fill in any outstanding gaps.”

Remote Working and Cyber Attacks are Biggest Data Protection Threats Facing 65% of Irish Organisations in 2021

Remote working and the threat of cyber-attacks are the number one data protection concern for 65% of Irish companies in 2021. This is according to a new survey from the Association of Compliance Officers Ireland (ACOI) which sought to understand the current data protection risks facing companies – 85% of whom have more than 75% of their workforce currently working from home. The survey of more than 250 organisations – answered by ACOI members with responsibility for compliance in financial organisations throughout the country, revealed that the mobile workforce arrangements, necessitated by the pandemic since last year, have left employers feeling increasingly vulnerable to data protection breaches.

Speaking of the findings Michael Kavanagh, CEO of ACOI,

“It’s abundantly apparent from this survey that remote working is a major issue facing firms this year when it comes to data protection, with 34% of businesses voicing their concerns around the risks associated with it. Given how intertwined the two things are it is perhaps unsurprising that risk of cyber-attack was cited by 31% of respondents as the biggest concern. Indeed, the two are not mutually exclusive, with remote working increasing organisations’ vulnerability to attacks.

 85% of our respondents have more than 75% of their workforce out of the office at the moment and while the survey suggests that the remote working landscape will certainly not look the same in 12 months, it is clear that the intricacies of having a national mobile workforce is something that all organisations will have to consider, both now and into the future, as flexibility around where people carry out their various roles becomes a key feature of modern day business.”

 The remote working risk

The ACOI report that in the last 12 months many organisations have had to reassess their data security systems to adapt to new levels of cyber risk to internal assets and data, and urge that any that have yet to do so, need to move with some immediacy to rise to the data protection challenges of an off-site workforce. When asked if the risk of cyber-attack has become a greater consideration since the redeployment of staff to home-based working, 89% of respondents said it has, to varying degrees.

Mr. Kavanagh commented,

“Redeploying employees to work from home has “considerably” increased risk for 37% of organisations, while 52% said it had increased risks “a little”. What’s interesting is that when we asked the same question last year 10% fewer organisations felt the risk had increased “considerably”. This would suggest that the recognition of, appreciation for, and experience of, risk is growing.

The context for cybercrime and cyber-attack in Ireland is constantly evolving. PWC’s Irish Economic Crime Survey 2020[1] found that 69% of firms in Ireland have experienced cybercrime in the last 24 months, and that the incidence of cybercrime in Ireland (69%) is double that experienced by global companies (34%). The report also outlines that Ireland is now Europe’s largest data hosting cluster, putting the need for elevated cybercrime and data protection systems into sharp focus.”

The ACOI advise that regulators in Ireland and around the world have been constantly updating and issuing new guidance to firms in response to emerging cyber security issues, such as fake documentation, the reliability of information sources, and data privacy and protection. While the level of risk varies according to the sector, it is widely accepted among the financial services sector that COVID-19 has led to heightened risks in relation to money laundering and cyber-attacks.

Detect and Protect

Mr. Kavanagh explains that there are ways for compliance professionals to detect and mitigate the increasing level of risk from cyber-crime that the business world is seeing.

“Whether it’s keeping your software and security systems up to date, running regular checks, or introducing more complex processes such as two-step authentication to your transactions and communications, there are small steps that businesses can take that will help detect and protect them from cyberthreats. However, a combination of technology and human resources will always be the best approach to maintaining cyber-safe and secure working practices and operational environments.”

Appendix

What is the number one data protection risk for your company in 2021?

  • Remote working                                                                                                    34%
  • Cyber-attacks                                                                                                         31%
  • New rules around International data transfers – Schrems II                          13%
  • The volume of staff training needed                                                                  8%
  • Brexit                                                                                                                       7%
  • Anti-Money Laundering and Counter Financing of Terrorism obligations         7%

Approximately what percentage of your organisation’s staff are now working remotely?

  • 100%                                                                                                                       40%
  • Between 75 – 100%                                                                                              45%
  • Between 50 – 75%                                                                                                3%
  • Between 25% – 50%                                                                                              4%
  • 50%                                                                                                                          2%
  • Less than 25%                                                                                                        6%

Approximately what percentage of your organisation’s staff are likely to be partially or fully working remotely in 12 months?

  • Between 50 – 75%                                                                                                38%

Between 75 – 100%                                                                                              25%

  • Between 25% – 50%                                                                                              14%
  • 50%                                                                                                                          8%
  • Less than 25%                                                                                                        8%
  • 100%                                                                                                                       7%

Has financial crime and the risk of attack become a greater consideration since some of your workforce have been redeployed to work at home?

  • Yes, it has increased the risks a little                                                                  52%
  • Absolutely, it has increased the risks considerably                                          37%
  • Not at all                                                                                                                 11%

3/4s of Irish businesses say Ireland’s data protection is becoming increasingly “uncertain” #WorldDataProtectionDay

76% of Irish businesses have experienced growing uncertainty across the data protection spectrum over the last 12 months with no signs of this abating. This is according to a new survey  from the Association of Compliance Officers Ireland (ACOI) released today in the run up to World Data Protection Day (Jan 28th).

The survey of more than 250 organisations throughout the country – answered by ACOI members with responsibility for compliance in financial and other organisations, sought to assess views surrounding Ireland’s data protection landscape for 2021.

Respondents cited uncertainty as a result of Brexit (32%); an increase in remote working (26%) and the impact of the Schrems II ruling (23%) as the primary drivers behind heightened threats to data protection and mounting challenges for organisations in ensuring compliance.

Speaking of the findings, Michael Kavanagh, CEO of the ACOI,

These are turbulent times in the world of data protection and there is no doubt that businesses and other organisations throughout Ireland are struggling with a myriad of issues. It is perhaps unsurprising that Brexit is the forerunner in terms of what people see as the reason behind the growing uncertainty in DP, but what’s arguably more insightful is that more than ¼ of respondents say the growing prevalence of remote working is causing major issues and a similar number feel that the implications of the Schrems II ruling is adding to the ambiguity”.

The ACOI have set out key data protection areas for concern and action that they believe should be on the agenda of business entities throughout the country if they want to successfully navigate their way through 2021:

  1. The Schrems II ruling and international data transfers.

Mr. Kavanagh explained,

“Businesses will be watching closely to see the final outcome with regard to the European Commission’s recent public consultation on a draft revised set of standard contractual clauses (SCCs). SCCs are widely used by both SMEs and multinational firms to facilitate international transfers of data. Similarly, in our experience, industry views the proposed supplementary measures proposed by the European Data Protection Board (EDPB) as too onerous and unworkable.

  1. Brexit

The ACOI report that, while the Trade and Cooperation Agreement’s provision of 4 – 6 months ‘transition’ for UK-EU data transfers is welcomed, businesses must remain vigilant and watch closely to assess if an adequacy decision will take place within that timeframe.

  1. Guidance

According to the ACOI, more clarity and consistency on implementation of fines would be hugely beneficial to companies of all sizes across all industries, to enable these organisations and their Boards to adequately assess the risk and impact of potential fines and take appropriate action.

  1. The Basics

Mr. Kavanagh went on to advise,

“Businesses should continue to focus firstly on the basics. Having clear policies in place and developing a robust data protection culture throughout the whole organisation. Human error is often a key factor in data breaches, so ensuring that new and existing staff receive regular training on privacy best practice is key.”

The ACOI survey also revealed that, of the smaller cohort of survey respondents who believe the landscape is actually less uncertain that it was a year ago (24%) the increased clarity on Brexit (31%) and DPC Requirements and penalties (29%) and improved staff training were seen as the main reason for this.

Irish Businesses Facing Penalties as Data Protection Commission’s October 5th Deadline Lands

Businesses all over the country were scrambling last week to make the necessary adjustments to their websites as the Oct 5th deadline for online cookie compliance[1] fast approached. But by today businesses will be expected to have complied, and it’s unlikely that the many businesses that didn’t devote the necessary resources to this project will have gotten there on time. However, this should not dissuade them from taking action now, as there are significant penalties for non-compliance under GDPR legislation. This is the advice of the ACOI (Association of Compliance Officers Ireland) who say that implementation of the Data Protection Commission’s (DPC) guidance has significant implications for Irish businesses, particularly those SMEs whose resources may be already fully focused on surviving Covid and preparing for Brexit.

Michael Kavanagh, CEO of the ACOI explained,

The ending of the grace period for implementing the DPC’s guidance on cookies and tracking technologies (See Appendix) is today October 5th, and anecdotal evidence has suggested that for many organisations, this has been overlooked, with energy, time and resources being placed instead on responding to COVID and Brexit. But it hasn’t gone away – and even though the business environment has never been more challenging, compliance is expected and will be enforced. With GDPR, the DPC has the power to impose significant sanctions on businesses that don’t comply, for example, if it was proven that a business did not gain affirmative consent from consumers using the site, then then they could potentially be fined a percentage of their turnover”.

In late 2019, the DPC carried out a cookie sweep of thirty-eight organizations, with a view to understanding current levels of compliance in Ireland[2]. The ACOI say this exercise raised significant issues across a range of areas. Some of the issues highlighted included websites setting cookies immediately on the landing page, in many cases for non-necessary cookies. Others misclassified cookies as necessary or strictly necessary, while consent was found to be bundled in many cases. In April 2020, the DPC then issued a guidance note which is intended to ensure greater levels of adherence across Irish organisations, and businesses were given 6 months to bring their sites in line with these new practices.

Mr. Kavanagh went on to comment,

The implications for Irish businesses are considerable and extend beyond meeting the DPC’s list of requirements. For marketing and sales teams, the need to receive consent before deploying analytics cookies will effectively set a new baseline for their website metrics. A significant number of users are unlikely to opt-in, making it difficult to accurately compare year-on-year performance across the site. Customer service departments relying on website chatbots to deal with consumer queries must assess how to cater to customers who choose not to opt-in to this function. Many companies will need to implement a consent management platform (CMP) if one is not already in place. It will not be feasible to manually oversee aspects such as the requirement to reaffirm consent every six-months. Lastly, any firms still relying on pre-ticked forms of consent must amend their practices soonest. Compliance professionals will need to consult widely across the business to ensure key departments and stakeholders are aware of the upcoming changes, and to minimise the potential impact on day-to-day operations”.

The ACOI advise that all businesses should give high priority to this issue for the remainder of the year.

Appendix – Key Considerations from the DPCs Guidance Notes

  1. Organisations must obtain consent to store or set cookies.
  2. The rules apply even where cookies do not store personal data. ePrivacy focuses on the confidentiality of all electronic communications. If personal data is stored, the additional requirements of GDPR apply.
  3. Consent must meet GDPR standards, being freely given, specific, informed and unambiguous. It must be as easy for a user to withdraw consent as it was to provide it in the first place.
  4. Pre-ticked boxes and bundled consent, where approval is sought for a range of processing activities, are not allowed.
  5. Continuing to use a website or scrolling through a landing page do not imply consent. It must be an affirmative action by the consumer such as ticking a box.
  6. Default settings on a browser do not constitute affirmative consent.
  7. Analytics cookies require consent. However, the guidance states it is unlikely first-party analytics will be considered a priority for enforcement action.
  8. Consent must be reaffirmed every six months. It is worth noting a similar view has been taken by the French supervisory authority.
  9. Businesses must have clear retention periods for each cookie. Retaining cookie data indefinitely does not meet the GDPR’s requirement for proportionality.
  10. The guidelines do not recommend a particular method for obtaining consent. They recognise that website cookie banners are a typical way of achieving this objective.
  11. Companies should avoid using language or interfaces that nudge the user to accept cookies.
  12. The Commission recommends having both a cookie policy and a privacy policy, as these meet the requirements of ePrivacy and GDPR respectively.
  13. The guidelines apply to other tracking technologies as well as cookies. For example, pixel trackers, like buttons and social sharing tools.
  14. Companies must be aware of any data shared with third parties, for example through social tools, and put in place data processing agreements where necessary.
  15. Finally, every effort should be made to present cookie banner information in a clear and accessible manner.

Dedicated COVID- Compliance Officers Could Become “Commonplace” in Irish Businesses. #COVID19

The Association of Compliance Officers Ireland (ACOI) have said that, as the Irish workforce and businesses themselves begin  to contemplate what the working landscape will look like as the country tentatively emerges from lockdown, the issue of compliance and how to deal with social distancing and other COVID-related protocol, will be at the forefront of the minds of managers and business owners in every industry. The professional body, which has over 3,000 members nationwide, believe that “COVID Compliance Officers” may well need to become commonplace – if only temporarily – to ensure businesses meet any instructions and/or rules and guidelines issued by the Government, which might then allow them to recommence trading.

 

Michael Kavanagh, CEO of the ACOI, explained how the situation might unfold,

While there have been rumblings that we may be edging closer to opening the country up for business again, it is widely accepted that rather than preparing for “life after COVID”, we will have to set ourselves up for “life amidst COVID” – until such time as a treatment is found. This means businesses will have to adapt and change according to what the relevant authorities advise. Organisations will have to adhere to strict rules to ensure we hold our ground in the fight against the spread of the disease. In order to do this, employees and management will need to know exactly what they have to do. Invariably, one person, or even a team of people, depending on the size of the organisation, should be tasked with ensuring compliance in this regard”.

The ACOI are advising the a dedicated COVID Compliance Officer could be an existing compliance officer, or another senior employee or member of management within the company.

Mr. Kavanagh continued,

By appointing someone to the role of COVID compliance regulator, the HSE and Gardai will have a go-to person to interact with and support in terms of putting the necessary processes and procedures in place.

There appears to be a growing consensus that people will return to work on a phased basis based on national COVID-19 management targets being met, with those working outdoors possibly being the first to return. In each workplace, someone will have to assess how employees and customers can adhere to new rules such as maintaining a two-metre distance from colleagues and other customers,  and minimising the level of face-to-face interaction. This will need to happen, preferably, before businesses reopen and employees return to work”.

 

As Ireland’s leading body for regulatory compliance and business ethics, the ACOI has its finger on the pulse of the issues that are affecting businesses of all sizes across the country. Currently, in the face of a vastly altered and rapidly changing business landscape, the ACOI say the primary challenges being encountered by their members are around:

 

  • Data Protection: Keeping personal data secure online and in a Working From Home environment

and

  • Financial Crime: The increase in digital, non-face-to-face transactions and managing ongoing monitoring at a time of significant change in client/user behaviour

 

Mr. Kavanagh said,

Our members have already had to act swiftly to ensure that new business models and organisational structures protect people and comply with the rules and regulations already in place. This is particularly true in the areas of data protection and financial crime”.

 

The ACOI are advising businesses and organisations that are preparing to reopen and have concerns around compliance to consult with the National Standards Authority and the Health and Safety Authorities – both of which are providing guides and information to those who require it.