Deployment of a DPO Niamh Gavin AIB Data Protection Legal 28 September 2017

Deadline GDPR EFFECTIVE DATE

Not a legal requirement under the current EU Data Protection Directive The DPO Role Today What’s the current status Not a legal requirement under the current EU Data Protection Directive Many EU countries (e.g. Germany & Sweden) have made it mandatory under local law The evolution and significance of this role under the GDPR

What’s new under the GDPR Mandatory v Voluntary – Assess your obligations Existing privacy related roles already in place may not meet the new legal criteria under the GDPR Protected role – DPO cannot be removed or penalised for performing tasks Failure to appoint a DPO – Consequences for organisations

Expert in data protection laws and practices Who is the DPO Expert in data protection laws and practices First there is the GDPR 173 Recitals (not having force of law) 11 Chapters 99 Articles (having full force of law) But don’t forget; ePrivacy Regulation, NIS Directive and more

Who is the DPO Must Report directly to highest management level Can be group DPO Can perform other tasks provided no conflict of interest Can be outsourced

Responsibilities of the DPO Monitoring compliance with the GDPR Consultation in the Data Protection Impact Assessment (DPIA) process Point of contact for the Regulator Point of contact for data subjects Role to play in record keeping

Proper resources (financial resources, additional staff etc.) What will the DPO need Organisations must provide: Proper resources (financial resources, additional staff etc.) Sufficient time to enable the DPO fulfil their tasks Active support from senior management Continuous training and on-going investment

Consider Liability in the event of non – compliance Is there protection against personal liability The Controller and or Processor are ultimately responsible for GDPR compliance What about wilful misconduct, gross negligence

Q & A