News and Insights

Print this page

Search News & Insights

The Deadline for Compliance with the GDPR is Fast Approaching – Are You Ready?

AUTHOR(S): Michael Byrne, Anne-Marie Bohan
PRACTICE AREA GROUP: Data Protection, Commercial Litigation and Dispute Resolution
DATE: 20.04.2017

Next month marks one year to the introduction of the General Data Protection Regulation (“GDPR”), which comes into force on 25 May 2018.  While all FDI companies operating in Europe should be aware of the GDPR’s major overhaul of data protection laws, and should be actively preparing for it, recent studies have shown that awareness and preparedness levels are alarmingly low.  One significant new obligation under the GDPR is the requirement for certain types of companies to appoint a dedicated Data Protection Officer (“DPO”).  In particular, this applies to companies whose core activities consist of data processing operations which require regular monitoring of data subjects on a large scale, or which process certain types of sensitive data (ie, data concerning race, religious beliefs or criminal convictions), and to all public bodies.

Filling the role of DPO isn’t merely a ‘box ticking’ exercise.  The DPO must have expert knowledge of data protection law, and other professional qualities.  For many companies, this will require creating a new role and hiring a dedicated expert.  Some companies may not need a dedicated full-time DPO, and the GDPR does allow some flexibility on this.  Specifically, an existing employee can serve as the DPO provided they have the required expertise and the DPO role does not conflict with any other role they hold in the organisation, and a group of related companies can appoint a single DPO.  Further, an external DPO can be appointed under an appropriate service contract.

The DPO’s responsibilities will include:

  • Informing and advising the company and its employees of their respective obligations under the GDPR and data protection legislation generally.
  • Monitoring compliance with the GDPR, data protection legislation and the company’s own data protection policies.  This will include assignment of responsibilities, awareness-raising and staff training.
  • Providing advice on data protection impact assessments.
  • Acting as a point of contact for the company’s supervisory authority.

As an employer, the company will be expected to provide the DPO with the resources necessary to carry out their tasks.  The company will also need to provide the DPO with access to all personal data held by it and to its data processing operations, and must involve the DPO in any data protection-related issues affecting the company.

It is important that companies whose activities might trigger the requirement for a DPO prepare themselves well in advance of the deadline, as there are severe consequences of not appointing a DPO where required, including fines of up to €10,000,000 or 2% of a company’s worldwide turnover.  Further, a good DPO will be of great assistance to companies in meeting the often complex data protection requirements under the GDPR and national laws.  With only one year to go, companies whose operations may trigger the requirement for a DPO should identify and plan for this as soon as possible.

This article was authored by Michael Byrne, Anne-Marie Bohan and Aoife Kelly-Desmond.


About cookies on our website

Following a revised EU directive on website cookies, each company based, or doing business, in the EU is required to notify users about the cookies used on their website.

Our site uses cookies to improve your experience of certain areas of the site and to allow the use of specific functionality like social media page sharing. You may delete and block all cookies from this site, but as a result parts of the site may not work as intended.

To find out more about what cookies are, which cookies we use on this website and how to delete and block cookies, please see our Which cookies we use page.

Click on the button below to accept the use of cookies on this website (this will prevent the dialogue box from appearing on future visits)