Businesses struggling to keep up with technology laws and regulations
Keeping up with emerging laws and regulation is the biggest legal challenge by companies in their use of technology in Ireland, a survey by Mason Hayes & Curran has found.
More than a third (37 per cent) of respondents identified this as their greatest challenge, followed by governance/oversight for privacy risks (26 per cent).
The business law firm surveyed 300 attendees at its Data Privacy and Emerging Technology Regulation Conference at The Marker Hotel in Dublin last week.
The event brought together in-house lawyers from both the public and private sectors to focus on the rapidly evolving regulatory landscape and equip delegates with the necessary knowledge to navigate this complex terrain.
Philip Nolan, partner and head of technology at Mason Hayes & Curran, said: “With enhanced expectations of regulatory oversight and the introduction of significant new EU tech and data laws, it is not surprising that emerging regulation is the biggest issue for the sector.
“In 2018 we were dealing with one key piece of data legislation, the GDPR. Now we’re dealing with an entire suite of overlapping tech legislation covering data practices with different focuses and policy objectives.
“The collective impact of these new rules is challenging, to say the least, and organisations should be aware that being compliant with one set of laws does not mean you are covered under other related legislation.
“One key takeaway from our event is the importance of staying informed as these changes evolve. You don’t need to be an expert on every piece of emerging tech legislation, but you need to know enough to spot the issues and get the right advice for you and your organisation.”
The survey also found that more than two-thirds of attendees (67 per cent) are not certified under the EU-US Data Privacy Framework. However, it is important to note that certification is only available to companies that are also operating in the US.
Replacing the previous Privacy Shield programme, the Data Privacy Framework seeks to ensure that data transfers between the EU and the US comply with EU data protection standards. It aims to safeguard the privacy of EU citizens’ data when processed by companies in the US, providing a mechanism for secure and legal cross-border data flows.
Oísin Tobin, privacy and data security partner at Mason Hayes & Curran, said: “The introduction of the EU-US Data Privacy Framework is the end result of detailed negotiations between the European Commission and the US Government, to provide greater certainty around EU-US data transfers.”
Julie Austin, privacy and data security partner at Mason Hayes & Curran, added: “These results are not particularly surprising as the Framework is still in its infancy, and many organisations are continuing to rely on alternative transfer mechanisms such as Standard Contractual Clauses (SCCs).
“So far, there are almost 3,000 certified participants. 70 per cent of those are SMEs who would have paid in and around $300 to certify, so it’s being pushed as a cost-effective alternative to SCCs.
“We have been working with clients on their certification programme and have found the certification process to be relatively smooth, with the process taking up to two months.”
The survey also found that more than three-quarters of companies surveyed (77 per cent) do not have a compliance plan in place for minors accessing their services.
Hannah Perry, privacy and data security partner at Mason Hayes & Curran, said: “Keeping children safe online is top of the agenda for regulators and is a core theme across the new suite of tech regulation. We have been working extensively with clients on rolling out new protections for children on their platforms and services.
“Having a robust compliance plan is important for many organisations and we would advise companies to take the following practical steps to put one in place.
“Start by mapping out the nature of your services and whether you are handling minors’ data. Then consider which regulations are most applicable to you and how you are going to implement your obligations under each piece of relevant legislation. This could include excluding people who are under the age of 18 from accessing your services, or putting specific child safeguards in place.”