Only 15% of Irish firms ‘fully compliant’ with GDPR

Forvis Mazars' latest 2024 joint GDPR survey with McCann FitzGerald LLP shows that Irish businesses continue to face challenges in complying with the General Data Protection Regulation (GDPR), six years on from its introduction.

The research, GDPR and Digital Legislation: A Survey of the Impact and Effect on Organisations in Ireland, conducted by Ipsos B&A, found that just 15% of businesses consider their organisation to be ‘fully compliant’ with the legislation, which is billed as the toughest privacy and security law in the world. A further 58% of respondents indicated their organisation was ‘materially compliant’ and 25% say their organisation was ‘somewhat compliant’. In order to achieve their compliance targets, half of the businesses surveyed believe they need more resourcing, financial investments or further expertise in this space.

The research also found that 82% of respondents believe the risks associated with GDPR non-compliance are increasing, with respondents citing ‘reputational risk’ as the most important factor in determining an organisation’s data protection risk appetite, followed by ‘fear of fines’. Eight in 10 (81%) of the businesses surveyed say they intend to improve their compliance status.

This is the eighth edition of the Forvis Mazars and McCann FitzGerald LLP annual survey on the impact of GDPR on organisations in Ireland. As well as examining the latest perceptions among Irish businesses regarding GDPR compliance, the report also assesses awareness and readiness for a wave of new legislative developments from the European Union in response to rapid technological changes.

Findings show that 60% of those surveyed are concerned about the impact of new digital legislation on their organisation, which includes DORA (the Digital Operational Resilience Act), the AI Act, the Data Act, the Data Governance Act, the Digital Services Act, the Online Safety and Media Regulation Act, the Digital Markets Act, the Network and Information Security Directive 2 (NIS2) and the Cyber Resilience Act. There is also a high degree of uncertainty regarding the new legislation with many respondents being unsure of their applicability to their business, which suggests further education and awareness is required within organisations.

Speaking at the launch of the survey on Wednesday 17 July 2024, Liam McKenna, Partner in Consulting Services at Forvis Mazars, said: “This survey underscores the essential need for organisations to remain up to date with both current and forthcoming regulations in the digital space. Irish businesses must diligently maintain their compliance initiatives, particularly amid the significant financial and reputational risks at stake.

Although GDPR regulations were implemented in 2018, that only 15% of Irish companies are fully compliant is a concern for Irish business, particularly in light of further digital legislation coming down the tracks including the Digital Operational Resilience Act (DORA), AI Act, Data Act, and Digital Services Act, among others. Irish companies therefore need to urgently focus on GDPR adherence, while actively gearing up for new legislative requirements.”

Paul Lavery, Partner at McCann FitzGerald LLP, commentated: “The effectiveness of the GDPR as one of the toughest data privacy laws in the word is perhaps evidenced by the fact that organisations are still actively working on improving their compliance six years on. It is much more than a tick the box exercise and staying on the right side of these complex requirements will require ongoing attention and focus by Irish organisations.

The good news is that this experience will serve businesses well as they prepare for new legislation coming down the track from the European Union. Legislating for rapidly changing technologies such as AI is no easy task and we can expect regulations around data, AI, cyber resilience, information security and digital services to continue to evolve in the coming years.”

Commenting at the launch, Graham Doyle, Deputy Commissioner, Data Protection Commission, said: “For me, I always thought that, as an organisation, you’re missing a trick if you’re just complying with legislation, whether it’s GDPR or anything else is coming down the tracks – if you’re only complying with it for the sake of compliance or if you’re afraid of the impact it will have on your reputation.  There’s actually a huge amount to be said for the level of trust that we, as consumers, always have when we’re engaging with companies that we know are doing a good job.”

Watch recording of webinar

Key findings:

• 82% of respondents agree that the risks associated with GDPR non-compliance are increasing, up from 70% in last year’s survey.
• 81% of respondents intend on improving their compliance status.
• 59% of respondents are concerned about the prospect of being fined for GDPR non-compliance, compared to 58% in last year’s survey.
• 47% of respondents agree that working to comply with GDPR has delivered many benefits for their organisation, up from 34% last year.
• Over half of the respondents (52%) say that the CEO of their organisation is strongly engaged in GDPR compliance and data privacy, compared to 50% in 2023.
• Six out of 10 respondents are concerned about upcoming digital legislation.
• 63% of respondents indicated that the AI Act will apply to their organisation.

Listen here to Liam McKenna discuss this topic on Newstalks Breakfast Business With Joe Lynam.