By now organizations will have heard about the new EU General Data Protection Regulation (GDPR) set to take effect on May 25th 2018. It is the largest piece of data protection legislation to be passed in the history of the EU (Irish times, 2017).
The fundamental objective of the regulation is to strengthen and reinforce the rights of the individual (data subject) and create a much needed harmonization of data protection law across the European single market. The new legislation will apply unilaterally across all EU member states and brings with it a major shift to the regulatory landscape. The introduction of this new EU data protection framework presents new challenges for business, making it imperative for organizations to act now and prepare accordingly to ensure compliance with the reform come May 2018.
GDPR imposes new, more rigorous obligations on organizations for the collection and processing of personal data and introduces new and improved rights for the individual. The introduction of the regulation reinforces Europe’s position on adopting an extremely protective approach to the processing and controlling of the personal data of its European citizens.
As mentioned above, the legislation stipulates a number of new protections. One of the major requirements outlined in the regulation is the mandatory appointment of a dedicated Data Protection Officer (DPO).
The DPO role itself will be independent of the organization and they will be answerable to the Lead Authority (in Ireland that will be the Data Protection Commissioner) and are not subject to the company board of directors. The position can be appointed internally to a current staff member or the role can be contracted out to a third party service provider.