The Data Protection Commission (DPC) has revamped its website and published online forms to help organisations comply with their new obligations under the GDPR.
The website contains a new Data Protection Officer (DPO) Notification Form, which must be completed by organisations to inform the DPC of their DPO’s contact details. The GDPR requires the appointment of a DPO in the following circumstances: (i) where the processing is carried out by public bodies or authorities; (ii) where an organisation’s core activities consist of large-scale regular and systematic monitoring of data subjects; and (iii) where an organisation’s core activities involve large-scale processing of special categories of data (i.e. sensitive data) or personal data relating to criminal convictions and offences. A DPO may also be appointed on a voluntary basis. However, organisations should be aware that a DPO designated on a voluntary basis will be subject to the same obligations and tasks under the GDPR as if the designation had been mandatory.
The DPC has also released Guidance on the Personal Data Breach Notification Process, along with breach notification forms for organisations to complete in order to notify the DPC of national and cross border personal data breaches. Not all personal data breaches are reportable. The GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed“. A personal data breach must be reported to the DPC within 72 hours of becoming aware of a breach, where it likely to result in a “risk” to the affected individuals. Organisations must also report a personal data breach to affected individuals without undue delay where it is likely to result in a “high risk” to their rights and freedoms. Details of all breaches, whether or not they are reportable, must be documented. The documentation should include the facts relating to the breach, its effects, the remedial action taken, and, where applicable, the reasons for not notifying the breach. The DPC requires all national breach notifications to be notified using the National Breach Notification Form, and all cross-border personal data breaches to be notified using the ‘Cross-Border Breach Notification Form.
In addition, the DPC has published updated Guidance on Data Subject Access Requests, along with flagging that requests made prior to 25 May 2018 continue to be governed by the Data Protection Acts 1988, as amended.