Content deleted Content added
Underscore to hyphen |
Small fixes |
||
Line 35:
=== Scope ===
The regulation applies if the data controller (organization that collects data from EU residents) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."<ref>[http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en European Commission’s press release announcing the proposed comprehensive reform of data protection rules]. 25 January 2012. Retrieved 3 January 2013.</ref>
The regulation does not purport to apply to the processing of personal data for national security activities or law enforcement within the European Union; however, industry groups concerned about facing a potential conflict of laws have questioned whether Article 48 of the GDPR,
=== Single set of rules and one-stop shop ===
A single set of rules will apply to all EU member states. Each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offences, etc. SAs in each member state will cooperate with other SAs, providing mutual assistance and organising joint operations. Where a business has multiple establishments in the EU, it will have a single SA as its “lead authority”, based on the ___location of its "main establishment" (i.e., the place where the main processing activities take place). The lead authority will act as a "[[one-stop shop]]" to supervise all the processing activities of that business throughout the EU<ref>The Proposed EU General Data Protection Regulation. A guide for in-house lawyers, Hunton & Williams LLP, June 2015, p. 14</ref><ref name=":1" /> (Articles 46–55 of the GDPR). A European Data Protection Board (EDPB) will coordinate the SAs. EDPB will replace the [[Article 29 Working Party]].
There are exceptions for data processed in an employment context and data processed for the purposes of national security
=== Responsibility and accountability ===
Line 65 ⟶ 66:
{{See also|European Commission Data Protection Officer}}
Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, or where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation.
The DPO is similar but not the same as a Compliance Officer as they are also expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data. The skill set required stretches beyond understanding legal compliance with data protection laws and regulations.
The appointment of a DPO within a large organization will be a challenge for the Board as well as for the individual concerned. There are myriad governance and human factor issues that organizations and companies will need to address given the scope and nature of the appointment. In addition, the post holder will need to create their own support team and will also be responsible for their own continuing professional development as they need to be independent of the organization that employs them, effectively as a "mini-regulator".
| |||