GandGLLP_logo2GandGLLP_logo2GandGLLP_logo2GandGLLP_logo2
  • Home
  • About
  • Expert Areas
    • Banking & Financial Services
    • Commercial Litigation & Dispute Resolution
    • Corporate & Commercial
    • Corporate Restructuring & Insolvency
    • Employment
    • Private Client
    • Family Law
    • Real Estate
  • People
  • Careers
  • News & Insights
  • Contact
✕

Should Your Company Appoint a Data Protection Officer?

January 2018

With the EU General Data Protection Regulation (the “GDPR”) coming into force in May, 2018, one of the first action areas for companies to consider is whether or not they will be obliged to appoint a Data Protection Officer (“DPO”).

With the EU General Data Protection Regulation (the “GDPR”) coming into force in May, 2018, one of the first action areas for companies to consider is whether or not they will be obliged to appoint a Data Protection Officer (“DPO”).

As of May 2018, there will be a mandatory obligation on certain companies to appoint a DPO. This will apply to companies that deal with personal data on a large scale. The DPO may be an employee with other roles in the company or may be an external contractor; however, they must have expert knowledge in the area of data protection law.

The obligations to appoint a DPO are set out in Articles 37 to 39 of the GDPR. A more extensive set of Guidelines on Data Protection Officers was published by a Working Party set up by the European Parliament in December 2016.

What Circumstances Give Rise an Obligation to appoint a DPO?

In brief, where the processing of data is an integral part of your company and this is done on a large scale, you will be obliged to appoint a DPO. In addition, there are certain organisations for which the GDPR specifically requires the appointment of a DPO:

  • All Public Bodies
  • Companies whose core activities require regular and systematic monitoring of data subjects on a large scale
  • Companies whose core activities involve large scale processing of sensitive data and data relating to criminal convictions

The “core activities” of a company are the primary activities or key operations of that company. Where your company could not engage in its primary operations without the processing of personal data, then this criterion is met.

The term “regular and systematic” is not defined by the GDPR. However, regular can be taken to mean ongoing, recurring, periodical or at specific intervals. Systematic should be taken to mean according to some objective system: if you email a customer at the end of every quarter, this could hypothetically be considered systematic.

“Large Scale” is also not a defined term and, in the abstract, it is difficult to know how strictly it will be read. What will be taken into account are the number of individuals whose data is being processed, the bulk of data that is being processed for each, and the regularity with which it is being processed. A hospital will certainly process data on a large scale, whereas a local GP is unlikely to do so.

Each individual case will be taken on its own facts. If you suspect that you may fall under these obligations you should get in touch with your Gore and Grimes contact in advance of May 2018.See our Contacts section below for details.

What is the Role of the DPO?

In the broadest terms, the role of the DPO is to ensure your company complies with its data protection obligations and specifically those set out in the GDPR.
Specifically, a DPO is charged with attending to the following obligations:

  • Ensure that the company’s procedures for processing data complies in all respects with the GDPR o Monitor compliance with those obligations
  • Inform and advise the company and staff of their data protection obligations
  • Promote awareness and train staff in relation to data protection o Train all staff that handle personal data
  • Advise on Privacy Impact Statements (PIAs)
  • Cooperate and serve as a point of contact with the supervisory body

In order to comply with the obligations, your company will be required to properly resource your DPO to meet their day-today requirements and facilitate them in their ongoing training in the area of data protection.

Independence of the DPO & Conflict of Interests

A DPO cannot be instructed on how to deal with a matter involving data protection. They must have full autonomy in the exercising of their duties and must report to the highest level of management within the company. The DPO is responsible for how data is handled within an organisation – it is a ‘buck stops here’ role

Specifically, the DPO cannot be instructed by senior management as to what result should be achieved in a data protection matter; how to investigate a data protection complaint; or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law. Importantly, they cannot be dismissed or penalised for exercising their tasks.

While a DPO can fulfil other tasks and duties, the GDPR requires that an organisation ensures that any such tasks and duties do not result in a conflict of interests. Specifically, the DPO cannot hold a position within the organisation that requires him or her to determine the purposes and the means of the processing of personal data.

As each organisation is different, this will be determined on a case by case basis. The European Parliament Working Party do however provide useful guidance on the type of positions that a DPO cannot hold in an organisation:

“conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing”.

If you would like to know more about how the GDPR is going to impact on your company, contact:
Brian O’Neill
Darragh O’Dea

CONTACT

+353 1 872 9299
Lawyer@GoreGrimes.ie

ADDRESS

Gore & Grimes Solicitors LLP
Three Haddington Buildings
Percy Place
Dublin 4
D04 T253
Ireland

Gore & Grimes Solicitors LLP is authorised by the Legal Services Regulatory Authority to operate as a Limited Liability Partnership pursuant to section 125 of the Legal Services Regulation Act 2015.

© Gore and Grimes 2023 Privacy NoticeSite by Begley Hutton