In everyday language, a ‘one-stop shop’ is a business offering multiple services and the only place you need to fulfil your needs. A ‘one-stop shop’ means something else from a data protection perspective in the context of the GDPR, although its based on the same idea.
A data protection one-stop shop lets your organisation deal with a single data processing authority (DPA) in terms of the GDPR. EU organisations are usually locked into their local DPA, but non-EU organisations have more room to shop around.
DPAs often calls themselves a commissioner or regulator, rather than a supervisory or data processing authority. This is certainly the case with the Irish data processing authority who call themselves ‘The Office of the Data Protection Commissioner’ (DPC) or ’An Coimisinéir Cosanta Sonraí’ in Irish.
The major advantage of having a data protection one-stop shop is that it means your organisation is subject to a single decision, appeal and fine when something goes wrong. You’re not subject to the jurisdiction of multiple supervisory authorities or fines in more than one European Union member state. You’re making yourself vulnerable to a more complicated set of enforcement actions if you don’t set up a main establishment or representative.
But, what Member State’s supervisory authority should you choose as your one-stop shop if you can? We believe that the Republic of Ireland is a strong choice for non-EU organisations, for the reasons discussed below.
Why Ireland should be your one-stop shop for data protection
Here are six reasons why Ireland should be your one-stop shop for data protection:
1. Experienced and preferred data processing authority
A data processing authority’s effectiveness and success depends on who is running it.
Commissioner Helen Dixon has headed up the Irish DPC since 2014 and has recently begun her second term in office. Helen Dixon is a practical commissioner with sensible ideas when it comes to applying GDPR, such as promoting a layered approch to privacy notices. The Deputy Commissioners John O’Dwyer and Dale Sunderland assist her and both also have significant experience.
Under their leadership, the DPC is already responsible for protecting the personal data of many millions of people across the European Union. This is because the vast majority of US tech multinationals have based themselves in Dublin and elsewhere in Ireland when it comes to the EU market. Many of the most innovative companies in the world also have a pressence in Ireland.
2. Well-resourced supervisory authority
The Irish DPC is already well-funded and has seen increases to its funding in recent years. This has allowed it to recruit more staff, provide new initiatives, develop a new case management system and make new online services available.
It uses these resources to provide valuable guidance, such as on appropriate qualifications for data protection officers.
3. A natively English-speaking supervisory authority
The official language of the GDPR is English. But, each supervisory authority will likely prefer to communicate in their native language. Ireland will be the only one-stop shop in the European Union with English as its native language once Brexit goes through and Britain leaves.
It’s even preparing for this new role by issuing guidance on how to transfer personal data from Ireland to the UK in the event of a ‘no-deal’ Brexit.
4. Great young talent
Ireland is a nation with exceptional human capital, both in the form of its local inhabitants and internationals. It allows internationals to work in its country more readily that many of its EU counterparts with a wide list of occupations eligible for scarce-skills visas. It also has one of the best education systems in the world, is reknowned for its tech talent and has one of the youngest populations in Europe. This means that your organisation will be able to access top-notch youthful personnel to act as your representatives from a GDPR perspective.
5. Friendly people
The Irish are welcoming people well-known for their friendliness and openness towards others. They’re ready to help you when it comes to data protection.
6. Great country for business, despite challenges
Ireland is arguably one of the best countries for business in the Eurozone (which has access to many millions of consumers). This is in part thanks to having one of the most competitive corporate tax environments in the world, strong government support for business and strong sense of community that makes people want to live and work in Ireland. It faces challenges, including accommodation shortages, possible international tax policy changes and outside trade pressures. But, all countries have challenges and the benefits will outweigh the risks for most organisations.
Actions you can take
We can help you take action when it comes to making Ireland your one-stop shop for data protection by:
- establishing your one-stop shop in Ireland or elsewhere in the EU by obtaining our advice;
- getting advice on Irish data protection law by asking us to put you in touch with an Irish data protection specialist; or
- discovering what you can do to get a one-stop shop in Ireland by reading on.
What can you do to get a one-stop shop in Ireland?
There is much uncertainty when it comes to how to practically implement the GDPR where your organisation is based outside the EU. This a particularly problematic when your organisation has a negligible data footprint in Europe or when it comes to EU residents as data subjects. But, data protection law may shape your corporate structure in future and compel you to have your organisation’s headquarters in the EU.
An organisation that has its main establishment in a particular country will have the supervisory authority of that jurisdiction as their one-stop shop. For example, your DPA will be the Irish DPC if your organisation operates in Ireland and only processes personal data there (you will not be able to choose another one).
For an organisation that does not have an EU entity, you could choose a GDPR representative in a particular county. This is provided that you take the necessary steps, such as designating them in writing. You can create a one-stop shop in Ireland if you have your one main establishment (where you make all your decisions) in that country. This is even where your organisation operates in many EU Member States, provided that your organisation does not make decisions in any other Member State.
Your organisation needs to have:
- its headquarters for operations in the Ireland or another EU Member State; or
- a location at which it takes decisions regarding data processing activities in Ireland or elsewhere in the EU;
to qualify for a one-stop shop in Ireland or the other relevant EU Member State.