Next month marks one year to the introduction of the General Data Protection Regulation (“GDPR”), which comes into force on 25 May 2018. While all FDI companies operating in Europe should be aware of the GDPR’s major overhaul of data protection laws, and should be actively preparing for it, recent studies have shown that awareness and preparedness levels are alarmingly low. One significant new obligation under the GDPR is the requirement for certain types of companies to appoint a dedicated Data Protection Officer (“DPO”). In particular, this applies to companies whose core activities consist of data processing operations which require regular monitoring of data subjects on a large scale, or which process certain types of sensitive data (ie, data concerning race, religious beliefs or criminal convictions), and to all public bodies.
Filling the role of DPO isn’t merely a ‘box ticking’ exercise. The DPO must have expert knowledge of data protection law, and other professional qualities. For many companies, this will require creating a new role and hiring a dedicated expert. Some companies may not need a dedicated full-time DPO, and the GDPR does allow some flexibility on this. Specifically, an existing employee can serve as the DPO provided they have the required expertise and the DPO role does not conflict with any other role they hold in the organisation, and a group of related companies can appoint a single DPO. Further, an external DPO can be appointed under an appropriate service contract.
The DPO’s responsibilities will include:
- Informing and advising the company and its employees of their respective obligations under the GDPR and data protection legislation generally.
- Monitoring compliance with the GDPR, data protection legislation and the company’s own data protection policies. This will include assignment of responsibilities, awareness-raising and staff training.
- Providing advice on data protection impact assessments.
- Acting as a point of contact for the company’s supervisory authority.
As an employer, the company will be expected to provide the DPO with the resources necessary to carry out their tasks. The company will also need to provide the DPO with access to all personal data held by it and to its data processing operations, and must involve the DPO in any data protection-related issues affecting the company.
It is important that companies whose activities might trigger the requirement for a DPO prepare themselves well in advance of the deadline, as there are severe consequences of not appointing a DPO where required, including fines of up to €10,000,000 or 2% of a company’s worldwide turnover. Further, a good DPO will be of great assistance to companies in meeting the often complex data protection requirements under the GDPR and national laws. With only one year to go, companies whose operations may trigger the requirement for a DPO should identify and plan for this as soon as possible.
This article was authored by Michael Byrne, Anne-Marie Bohan and Aoife Kelly-Desmond.