Perhaps surprising given that its implementation date is now only four weeks away, the European Parliament has published a corrigendum to the GDPR Regulation.
While the majority of the changes made to the GDPR simply clarify the existing text, it is worth noting that the corrigendum revises Article 35 of the GDPR which relates to the requirement to appoint a data protection officer ("DPO") in certain circumstances.
In particular, while the original text of the GDPR indicated that it was necessary for a data controller or a data processor to appoint a DPO where its core activities involved the processing on a large scale of (i) special categories of personal data and (ii) personal data relating to criminal convictions and offences on a large scale, the corrigendum has revised this text to provide that a DPO must be appointed where it processes either category of personal data on a large scale, meaning that a larger number of organisations may now be required to appoint a DPO. In particular the potential impact of this requirement on regulated entities such as funds, fund service providers and investment firms will need to be carefully assessed.
A copy of the corrigendum is accessible here. For a fuller discussion on the role of the DPO, see our linked analysis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.