Ms Helen Dixon:

We certainly envisage an increase in workload. We believe this will arise in a number of ways. As Mr. Carroll outlined earlier, we have a broader range of powers and functions under the GDPR. We believe the increased workload will stem primarily, we hope, from greater awareness of individuals and data subjects of their rights under EU legislation. Once obligations fall under the GDPR on all sorts of organisations to be more transparent and accountable with data subjects, awareness of and concern about their rights will increase. We believe we will start to see more complaints. In addition, data subjects are acquiring new rights under the GDPR. They are acquiring rights of data portability in certain cases, so we will see new types of complaints starting to arise requiring new technical expertise on our part. In addition, our supervisory role relating to all of the organisations we supervise will increase. As there are new accountability and transparency requirements on organisations we will be required to supervise that they are implementing those and in far more prescriptive terms than we are required to do currently.

Another area where we envisage our workload increasing relates to the cross-border processing cases with which we will have to deal. As a supervisory authority, we will act as the lead supervisory authority in Europe for all of the Internet multinationals located here. When we investigate a matter relating to one of those companies, we are obliged under the GDPR to consult with our fellow data protection authorities in Europe, take utmost account of the views they express on the matter and, ultimately, if we cannot incorporate their views into the findings we make we will be obliged to refer the matter to the new European data protection board which will make a decision as to whether an objection from another data protection authority is relevant and reasoned. Where it finds that the objection is relevant and reasoned, the European data protection board will then take a decision in the case. There is an entirely new set of mechanisms, complexity and layers. We are not exercising exclusive competence under Irish data protection Acts any longer, but will be implementing this harmonised regulation.

We anticipate an increased workload across a range of areas. There is also the requirement for data controllers to notify breaches to us on a mandatory basis, which will massively increase the number of breaches notified to the authority and which will require subsequent investigation. It is also required of data controllers who are obliged to appoint a data protection officer to notify those details to us. There is a range of areas where we have new functions, in addition to the prior consultation function with the data protection authority where new legislation is to be implemented. Where any type of data controller has been obliged to conduct a data protection impact assessment and has been unable to mitigate all of the risks they are obliged to consult with the data protection authority. The Deputy is correct that we will need many more resources to implement the GDPR.