GandGLLP_logo2GandGLLP_logo2GandGLLP_logo2GandGLLP_logo2
  • Home
  • About
  • Expert Areas
    • Banking & Financial Services
    • Commercial Litigation & Dispute Resolution
    • Corporate & Commercial
    • Corporate Restructuring & Insolvency
    • Employment
    • Private Client
    • Family Law
    • Real Estate
  • People
  • Careers
  • International
  • News & Insights
  • Contact
✕

Should Your Company Appoint a Data Protection Officer?

January 2018

With the EU General Data Protection Regulation (the “GDPR”) coming into force in May, 2018, one of the first action areas for companies to consider is whether or not they will be obliged to appoint a Data Protection Officer (“DPO”).

With the EU General Data Protection Regulation (the “GDPR”) coming into force in May, 2018, one of the first action areas for companies to consider is whether or not they will be obliged to appoint a Data Protection Officer (“DPO”).

As of May 2018, there will be a mandatory obligation on certain companies to appoint a DPO. This will apply to companies that deal with personal data on a large scale. The DPO may be an employee with other roles in the company or may be an external contractor; however, they must have expert knowledge in the area of data protection law.

The obligations to appoint a DPO are set out in Articles 37 to 39 of the GDPR. A more extensive set of Guidelines on Data Protection Officers was published by a Working Party set up by the European Parliament in December 2016.

What Circumstances Give Rise an Obligation to appoint a DPO?

In brief, where the processing of data is an integral part of your company and this is done on a large scale, you will be obliged to appoint a DPO. In addition, there are certain organisations for which the GDPR specifically requires the appointment of a DPO:

  • All Public Bodies
  • Companies whose core activities require regular and systematic monitoring of data subjects on a large scale
  • Companies whose core activities involve large scale processing of sensitive data and data relating to criminal convictions

The “core activities” of a company are the primary activities or key operations of that company. Where your company could not engage in its primary operations without the processing of personal data, then this criterion is met.

The term “regular and systematic” is not defined by the GDPR. However, regular can be taken to mean ongoing, recurring, periodical or at specific intervals. Systematic should be taken to mean according to some objective system: if you email a customer at the end of every quarter, this could hypothetically be considered systematic.

“Large Scale” is also not a defined term and, in the abstract, it is difficult to know how strictly it will be read. What will be taken into account are the number of individuals whose data is being processed, the bulk of data that is being processed for each, and the regularity with which it is being processed. A hospital will certainly process data on a large scale, whereas a local GP is unlikely to do so.

Each individual case will be taken on its own facts. If you suspect that you may fall under these obligations you should get in touch with your Gore and Grimes contact in advance of May 2018.See our Contacts section below for details.

What is the Role of the DPO?

In the broadest terms, the role of the DPO is to ensure your company complies with its data protection obligations and specifically those set out in the GDPR.
Specifically, a DPO is charged with attending to the following obligations:

  • Ensure that the company’s procedures for processing data complies in all respects with the GDPR o Monitor compliance with those obligations
  • Inform and advise the company and staff of their data protection obligations
  • Promote awareness and train staff in relation to data protection o Train all staff that handle personal data
  • Advise on Privacy Impact Statements (PIAs)
  • Cooperate and serve as a point of contact with the supervisory body

In order to comply with the obligations, your company will be required to properly resource your DPO to meet their day-today requirements and facilitate them in their ongoing training in the area of data protection.

Independence of the DPO & Conflict of Interests

A DPO cannot be instructed on how to deal with a matter involving data protection. They must have full autonomy in the exercising of their duties and must report to the highest level of management within the company. The DPO is responsible for how data is handled within an organisation – it is a ‘buck stops here’ role

Specifically, the DPO cannot be instructed by senior management as to what result should be achieved in a data protection matter; how to investigate a data protection complaint; or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law. Importantly, they cannot be dismissed or penalised for exercising their tasks.

While a DPO can fulfil other tasks and duties, the GDPR requires that an organisation ensures that any such tasks and duties do not result in a conflict of interests. Specifically, the DPO cannot hold a position within the organisation that requires him or her to determine the purposes and the means of the processing of personal data.

As each organisation is different, this will be determined on a case by case basis. The European Parliament Working Party do however provide useful guidance on the type of positions that a DPO cannot hold in an organisation:

“conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing”.

If you would like to know more about how the GDPR is going to impact on your company, contact:
Brian O’Neill
Darragh O’Dea

CONTACT

+353 1 872 9299
Lawyer@GoreGrimes.ie

ADDRESS

Gore & Grimes Solicitors LLP
Three Haddington Buildings
Percy Place
Dublin 4
D04 T253
Ireland

Gore & Grimes Solicitors LLP is authorised by the Legal Services Regulatory Authority to operate as a Limited Liability Partnership pursuant to section 125 of the Legal Services Regulation Act 2015.

© Gore and Grimes 2024 Privacy Notice  Cookie Policy Site by Begley Hutton

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Cookie settingsACCEPT REJECT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Strictly Necessary Cookies
Always Enabled
These are cookies that are required for the operation of our website.
CookieDurationDescription
cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent1 yearCookieYes sets this cookie to store the user consent.
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Analytical or Performance Cookies
These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
CookieDurationDescription
_ga1 year 1 month 4 daysThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_*1 minuteGoogle Analytics sets this cookie to store a unique user ID.
_gid1 dayInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT2 yearsYouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
Advertisement
These cookies are used to provide visitors with relevant ads and marketing campaigns.
CookieDurationDescription
VISITOR_INFO1_LIVE5 months 27 daysA cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSCsessionYSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devicesneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-idneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
Save & Accept
Powered by CookieYes Logo