Over two-thirds of Northern Ireland businesses are concerned about a potential breach of the new EU General Data Protection Regulation in the next year to year-and-a-half, a survey has found.

The survey was jointly commissioned by the Northern Ireland Chamber of Commerce and Industry and corporate law firm A&L Goodbody.

Despite the GDPR coming into effect just weeks from now, only 22 per cent of surveyed businesses feel sufficiently prepared, with a majority (52 per cent) saying they are only “somewhat prepared” and a quarter claiming they are “not at all prepared”.

Mark Thompson, partner at A&L Goodbody, said: “It comes as no surprise that local companies are feeling concerned about a potential GDPR breach – especially given some of the alarming press coverage in recent months about the new penalty regime for failure to comply.”

Mr Thompson added: “There are complexities to the legislation and there are key commercial decisions to be taken by businesses – but there are essentially two basic principles to the regime: increased transparency and increased accountability. If you buy into transparency, there is little to fear in the latter.

“In order to be compliant, companies must understand what data they collect and hold, why they hold it, where it is stored, how they use it and who it is shared with. They must then take the necessary steps to amend their internal policies, IT and operational processes and governance accordingly – something on which a legal advisor or GDPR specialist can advise.”

Most (55 per cent) of businesses expect that GDPR will have a minor impact on their ability to market their service, which over a third (36 per cent) anticipate the need for “significant adjustments” and six per cent believe they will have to “completely transform” their processes.

Only 18 per cent of surveyed businesses are confident that they have compliant systems in place to deal with a Subject Access Request (SAR), with 17 per cent being unaware of what a SAR is.

A SAR entitles an individual to have a report of data held about them and how that data is being used by an organisation. Under GDPR, companies can no longer charge a fee for responding and must find, gather and disclose an individual’s data to them within 30 days.

Mr Thompson said: “Missing the timetable will put companies in breach, so it is important to have a well-structured process for responses in place before the regulations go live. Organisations should update their procedures and train relevant employees to recognise and respond effectively to SARs in accordance with the new legislation.

“There aren’t many examples of processing in Northern Ireland not permissible under the new regime, provided that customers are aware how companies will be using their data once they have been given it.”

Ann McGregor, chief executive of the Northern Ireland Chamber of Commerce and Industry, added: “The message here is very clear – companies must act now before it’s too late and I would urge all members to review their processes to determine what changes they need to make to be compliant with GDPR.

“The Chamber has recently hosted a number of events and published a wide range of GDPR-related material, and we will continue to support our members in any way they can as they prepare for, and adapt to, GDPR in the coming months.”