Internal Compliance Mechanisms for Firms in the EU General Data Protection Regulation
50 (3) Revue juridique Thémis de l'Université de Montréal (RJTUM) 783-820
38 Pages Posted: 25 Jan 2018 Last revised: 15 May 2018
Date Written: January 18, 2018
Abstract
The new EU General Data Protection Regulation (GDPR) establishes requirements (and certain incentives) for internal compliance mechanisms that do not exist in current legislation. These requirements, which will have an impact on internal processes and staffing of firms, such as the requirement in certain cases of engaging a data protection officer, of conducting a data protection impact assessment, or making notifications of data breaches, will require firms to organize themselves prior to the GDPR becoming applicable in 2018. This article sets out first the increased territorial scope of the GDPR, prior to discussing the increased accountability of firms, focusing on data protection impact assessments, prior consultation and prior authorization, data protection officers, and data breach notifications. On the way, certain differences among the various versions of the GDPR prior to its adoption on these points will be discussed. Finally, incentives for compliance are highlighted.
Note: This final formatted version was first published in 50(3) Revue juridique Thémis de l'Université de Montréal (RJTUM) 783-820, and is also accessible on the journal's website.
Keywords: GDPR, General Data Protection Regulation, European Union data protection law, compliance, data protection officer, DPO, data protection, data protection impact assessment, DPIA, data breach notification, data breach
JEL Classification: K2, K20, K22, K29, K33
Suggested Citation: Suggested Citation