A staggering 66 per cent of firms are unaware of their commitments under the rapidly-approaching GDPR but experts at this month’s Data Summit in Dublin warned against the perception that it’s “too early to worry” given the implications of this far-reaching legislation.

Enactment of the GDPR in May 2018 will immediately trigger compliance issues for every organisation holding data, that is, essentially every organisation in the country.

The most straightforward method of compliance is to immediately appoint a data protection officer. It’s estimated that the legislation will create roles for 28,000 DPOs in Europe in 2018.

And those appointed to a DPO role must have legal training.

The most straightforward method of compliance is to immediately appoint a data protection officer. It’s estimated that the legislation will create roles for 28,000 DPOs in Europe in 2018.

And those appointed to a DPO role must have legal training.

Those hired for this role will need a very broad skillset with a significant legal component. Their tasks are exacting and extend to data privacy, data security, risk assessment, data processing and a deep awareness of technology, the Data Summit was told.

Senior Legal Counsel at the Central Bank of Ireland Denis Kelleher told the Data Summit that this broad skillset is difficult to find in any one individual.

Being a good relationship-builder is a key requirement for the role as it will require getting things done internally and externally.

He advised businesses to think long and hard about whether to outsource this strategic function.

“It’s like giving the keys of your car to an outsider,” he commented, given the DPO’s core activity of regular systemic monitoring of special categories of data. An outsourced DPO has access to information about exactly how a business works.

Outsourcing also throws up the question of how to manage external liabilities.

And from a financial perspective, Alan Curley, the privacy compliance manager with Janssen Pharmaceutical, pointed out that a third party will cost more than recruiting into a privacy role.

There will be a significant obligation on the public sector, which handles vast amounts of sensitive data, to have a DPO, though this may well be a centralised function across various departments.

An interesting conundrum, however, is that DPO professionals are independent but who resolves disputes if they don’t do their job properly? If an organisation inadvertently appoints an incompetent DPO where do they go for redress, especially given the calamitous effects on business reputation of data breaches.

The new legislation will also place a significant onus on the 19,500 registered charities in Ireland to protect sensitive personal data on vulnerable clients but it is unclear where the funding line will come from to pay for these new duties to be carried out.

The Data Summit heard that if highly-trained and qualified personnel are employed, there will be less of a burden on the regulator when it comes to enforcement.

Indeed, a DPO is often referred to as a “mini-regulator”.

UCD law lecturer Dr TJ McIntyre, also of Digital Rights Ireland, is a specialist on information technology law and civil liberties. He asked where the remedy is for a DPO who is penalised or dismissed for standing up for the rights of a data subject. 

Passive-aggressive

Responding, Denis Kelleher described the GDPR as a “passive-aggressive piece of legislation”.

He believes that many organisations will default to appointing a DPO, particularly where their controllers are risk-averse.

“This is a very clever piece of legislation,” he said. “If the model succeeds it will be rapidly replicated.”