The General Data Protection Regulation (2016/679) (GDPR) is going to have a significant impact both on Member States and further afield. However, legal process outsourcing could become the ideal compliance tool.
The Treaty on the Functioning of the European Union requires the EU legislature to lay down rules relating to the protection of individuals with regards to the processing of personal data. These rules were originally contained in the Data Protection Directive (95/46/EC) which forms the foundation of Irish data protection law. May 2018 will witness the implementation of the GDPR, which will replace the Data Protection Directive.
The GDPR is more onerous than the Data Protection Directive, because unlike its predecessor, the GDPR is a regulation. As a result, it leaves no discretion to national legislatures as to how it is transposed into national law.
The geographical scope of the GDPR is startling. It not only applies within the EU, but also to data controllers and processors outside the EU whose processing activities relate to the offering of goods or services to, or monitoring the behaviour of, EU data subjects.
For the first time, direct obligations are placed on data processors. These include an obligation to maintain a written record of processing activities carried out on behalf of each controller; to appoint a data protection officer; to designate a representative when not established in the EU; and to notify the controller on becoming aware of a personal data breach without undue delay.
When the GDPR comes into force, it will also have quite severe penalties for those who are deemed non-compliant. In some instances fines of up to 4% of annual worldwide turnover or €20 million, whichever is higher, can be imposed. This certainly makes compliance an imperative.
Where legal process outourcing comes into play
Worryingly though, companies’ legal compliance departments may not have the capacity or competence to ensure their company is in conformity with the GDPR, particularly if located outside the EU.
This brings into sharp focus the crucial role of legal process outsourcing (LPO) and data protection review services.
LPO is a cost-effective way of ensuring compliance with the new rules. Instead of spending huge amounts of cash on establishing operations and procedures to meet the strictures of the GDPR, the most efficient and effective course is to outsource this task to compliance professionals. LPO providers, through their skill and expertise in data protection review, can guarantee that companies are in compliance with the GDPR, wherever they are located.
Working with LPO providers can enable companies to focus on core business activities without having to worry about dealing with the GDPR on their own. To find out more, get in touch with Johnson Hana International.