Four in ten Irish businesses did not update cookie policies last year
Four in ten Irish businesses made no changes to their cookie policies last year following new guidance from the Data Protection Commission, according to a new survey by Mason Hayes & Curran LLP.
The law firm has published the results of its Data Privacy in 2021 survey, which was carried out at a recent webinar attended by over 400 in-house lawyers, from both domestic companies and multinational organisations across various sectors with a presence in Ireland.
Those surveyed were asked about cookie policies, their biggest data protection risks as well as the issue of processing the data of minors, which is likely to be an area of focus for the Office of the Data Protection Commission (DPC) over the next 12 months.
The DPC released new guidance around the use of cookies on websites in 2020, and half of those surveyed stated that they had changed their cookie policies because of the new guidance. However, a substantial minority (40 per cent) haven’t changed their cookie policies.
Philip Nolan, head of privacy and data security at Mason Hayes & Curran LLP, said: “After the DPC released their guidance on cookies, there was a six-month grace period to allow organisations time to examine their current practices and update them accordingly.
“However, that grace period expired in October 2020 so organisations who haven’t reviewed their cookie policies should do so as a matter of urgency.”
One in ten respondents said they had changed their cookie policies, but mainly because they had changed their use of cookies instead of in reaction to the DPC guidance.
Mr Nolan said: “Organisations also need to remember that if they have reach outside of Ireland, they will need to be cognisant of rules around cookies in different jurisdictions. This was evidenced by the recent fines imposed by the CNIL, France’s data protection regulatory body, on Amazon and Google, both with main establishments outside of France.”
However, cookies don’t feature highly in respondents’ list of data protection risks. The biggest data protection risk according to those surveyed is security breaches (42%), a risk exacerbated by the rise in remote working during the pandemic. International data transfers (19%) and lack of internal controls and documentation (14%) were also considered significant data protection risks.
Oisín Tobin, privacy and data security partner at Mason Hayes & Curran LLP, said: “It’s not surprising that data breaches are top of the list in terms of data protection risks.
“Organisations are all too aware of the potential for plaintiff litigation by someone affected by a data breach, and we have seen an increase in civil litigation in this area. There is also the reputational risk to an organisation that suffers a data breach.”