As of 25 May 2018, the EU GDPR (General Data Protection Regulation) is the primary piece of legislation governing data protection. The requirement for Irish organisations to register their data processing activities with the DPC (Data Protection Commission), which existed under the previous regime, no longer applies.
However, under the GDPR, certain organisations are required to appoint a DPO (data protection officer). Organisations are also required to publish the details of their DPO and provide these details to their national supervisory authority.
A DPO is mandatory for:
- Public authorities;
- Organisations whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
- Organisations whose core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
However, DPOs aren’t exclusively for such organisations. The WP29 (Article 29 Working Party) released guidance in 2017 recommending that all organisations appoint a DPO as a matter of good practice. This is because the tasks that a DPO takes responsibility for will become increasingly important as the GDPR’s influence grows.
DPO as a service
Many organisations are struggling to find suitable DPOs, because the demand for qualified personnel far outweighs the supply. Those who have tried to look in-house for a DPO have also been stumped, because even qualified cyber security professionals often lack the necessary expertise or have a conflict of interest with their existing role.
Any organisation facing such problems should consider our DPO as a service. One of our data protection experts will act as a remote DPO, completing the necessary tasks for your organisation and providing you with guidance whenever you need it.
With this practical and cost-effective solution, you don’t have to worry about finding an expert, ensuring that there is no conflict of interest or that they are fulfilling their requirements under the GDPR. Instead, you can do what you do best, which is focus on your core business activities.