UK Firms Hiring Staff To Deal With New EU Data Protection Rules

Jessica Trevellick
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

UK firms are taking on more staff to deal with the new EU General Data Protection Regulation (the “GDPR”). A survey carried out last year by specialist recruitment consultancy firm Robert Half found that two thirds of UK firms intended to employ new permanent staff, and that 64% planned to take on more temporary or interim staff, to cope with the requirements of the GDPR.

Article 37 of the GDPR introduces a requirement for certain bodies - namely, public authorities (except for courts acting in their judicial capacity), and companies whose core activities consist of large scale processing of data that requires regular and systematic monitoring of data subjects, or data relating to criminal convictions and offences - to appoint a data protection officer (a “DPO”). GDPR is a minimum harmonising regulation; Member States can impose their own requirements in addition to those under GDPR for DPOs. For example, under German law, the designation of a DPO will be mandatory if companies usually deploy at least ten employees to carry out the automatic processing of personal data on an ongoing basis. Thus, even after GDPR comes into force, different standards for the mandatory appointment of DPOs may still apply throughout Europe in the future.

Many companies are choosing, therefore, to hire a DPO voluntarily. DPOs must have expert knowledge of data protection law and practices, and the ability to fulfil the tasks referred to in Article 39, which include advising employees who carry out data processing of their obligations under the GDPR, monitoring compliance, and cooperating with the relevant supervisory authority. The GDPR also allows groups of undertakings to appoint a single DPO, provided that the DPO is “easily accessible from each establishment”.

UK companies also are taking on more data compliance staff generally, most likely in response to the potential heavy fines for breaches of the new rules under the GDPR; lesser incidents will be subject to a maximum fine of either €10 million or 2% of an organisation's global turnover (whichever is greater), and the most serious violations could result in fines of up to €20 million or 4% of turnover (whichever is greater). The GDPR sanction regime will therefore have significant commercial impacts for firms that fall foul of the rules, far greater than under current UK legislation which caps fines at £500,000. Indeed, research by NCC Group concluded that fines from the Information Commissioner's Office against British companies in 2016 would have been £69 million rather than £880,500 if the GDPR scale had been applied.

However, it seems that some firms have left it very late to make their new hires. The GDPR comes into force on 25 May 2018 and job vacancy platform Joblift has revealed that of some 4,000 DPO vacancies advertised on its site, 1,011 have appeared since January 2018.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide