Extra data protection commissioners to be appointed under GDPR law

The new regulation, which enters force on 25 May 2018, introduces major changes throughout the EU around the appointment of data protection officers, risk assessments, and the notification of authorities where a data breach has been detected.

It also provides for heavy penalties for companies that are in breach of the regulation, including fines of up to four per cent of global turnover or €20 million (whichever is greater) in the case of non-compliance.

According to notes in the draft legislation, which is currently still being drawn up, the extra appointments recognise the “anticipated additional workload arising from the GDPR”.

It continues: “The possibility of stringent sanctions, including large administrative fines, arising from the investigation of complaints or the conduct of data protection audits, means that rigorous procedural safeguards and due process standards must be maintained in order to withstand likely court challenges.

“This will require the separation of the investigative and adjudicative processes within the commission and will impose a significant additional workload on the commissioner.”

It points out a likelihood of “resource-intensive” cases as large multinational companies are based in Ireland, “including those servicing data subjects across the EU such as Facebook”.

Controversially, the bill also proposes an exemption from fines for public sector bodies unless they compete with private sector bodies.