Companies in Ireland – the General Data Protection Regulation (GDPR).
Within the EU GDPR there is a mandate for certain companies including specific Companies operating in Ireland that a Data Protection Officer is appointed within their business.
This Data Protection Officer will be the “go to” person within Irish companies and will manage the responsibility for Data Protection Compliance.
Responsibilities for the Data Protection Officer include but are not limited to;
- Monitoring the company’s compliance with The Data Protection Law, managing training of staff for data protection and carrying out audits within the Organisation.
- Providing advice to the Organisation relating to their obligations under the GDPR
- Acting as the main contact point within the Organisation for the local Data Protection Authority (The Data Protection Commissioner)
Not all Irish companies will require to have an appointed DPO.
The circumstances listed below will require companies in Ireland will have a DPO;
- Public Authorities processing public data (except for courts in their judicial capacity)
- The Company in Ireland has a core activity which involve data processing operations and “require regular monitoring of data subjects on a large scale
- The core activities of the organisation involve the processing of sensitive personal data on a large scale.
The specific size of the above listed processing activity is not detailed within the GDPR. There is not identifiable cut off point but it would be advised that Irish Companies to act on the side of caution rather than face the extreme financial sanctions for breaking the Law.
Under Article 58 of the GDPR, in Ireland, the Office of The Data Protection Commissioner will be able to fine Irish companies who are found guilty of a data breach. Article 58 does not differentiate between an accidental breach and a deliberate breach. Fines for a data breach have been increased to a maximum of 20 million Euro or 4% of their global turnover, whichever is the larger.
If there was ever an appropriate time for Irish Companies to review all of their data processing activities, identify to whom they are releasing data to both digital data and paper data, it is now before the fines are in place and enforced.
Within the GDPR, a single DPO can represent multiple organisations and does not have to be a member of staff belonging to the specific Company. Therefore, several organisations can collectively appoint one DPO to represent their combined interests.
Currently it is clear to see through research conducted that the expected compliance is not matched by the level of knowledge and awareness within the market. An underestimated figure of 28,000 Data Protection Officers will need to be appointed throughout Europe before the GDPR becomes law.
For more information upon compliance with the GDPR please contact the Security in Shredding team for assistance.