The Treaty on the Functioning of the European Union requires the EU legislature to lay down rules relating to the protection of individuals with regard to the processing of personal data. These rules were originally contained in the Data Protection Directive (95/46/EC) which forms the foundation of Irish data protection law. May 2018 will witness the implementation of the General Data Protection Regulation (2016/679) (GDPR) which will replace the Data Protection Directive. The GDPR is more onerous than the Data Protection Directive because unlike its predecessor, the GDPR is a regulation and accordingly leaves no discretion to national legislatures as to how it is transposed into national law. The GDPR is going to have a significant impact not only on Members State but also on non-Member States.
The geographical scope of the GDPR is startling. It not only applies within the EU but it also applies to data controllers and processors outside the EU whose processing activities relate to the offering of goods or services to, or monitoring the behaviour of, EU data subjects. Worryingly, companies’ legal compliance departments may not have the capacity or competence, particularly if located outside the EU, to ensure their company is in conformity with the Regulation.
For the first time direct obligations are placed on data processors. These include an obligation to maintain a written record of processing activities carried out on behalf of each controller; to appoint a data protection officer; to designate a representative when not established in the EU; and to notify the controller on becoming aware of a personal data breach without undue delay.
When the GDPR comes into force it will have quite severe penalties for those who are deemed non-compliant. In some instances fines of up to 4% of annual worldwide turnover or €20 million, whichever is higher, can be imposed. This certainly makes compliance an imperative.
This brings into sharp focus the crucial role of legal process outsourcing (LPO) and data protection review services. LPO is a cost effective way of ensuring compliance with the new rules. Instead of spending huge amounts of cash on establishing operations and procedures to meet the strictures of the GDPR the most efficient and effective course is to outsource this task to compliance professionals. LPO providers, through their skill and expertise in data protection review, can guarantee that a company wherever located is in compliance with the Regulation. Engaging LPO providers allows companies to focus on their core business without having to worry about data protection laws.