The French Data Protection Authority ("CNIL") recently launched a public consultation on four priority topics identified by the Article 29 Working Party ("Art. 29 WP") concerning its action plan for the implementation of the General Data Protection Regulation ("GDPR").
The GDPR, which comes into force on 25 May 2018 will overhaul European Data Protection legislation and extend the reach of EU Data Protection law compared to the current Directive 95/46/EC ("Data Protection Directive") which it replaces. Although the principles of the GDPR are broadly similar to the Data Protection Directive, there are many substantial and ambitious changes that organisations must address in advance of 2018 in order to remain compliant. As a regulation, the onerous obligations of the GDPR will be directly applicable in all Member States and will therefore have an instant impact.
The ultimate aim of the CNIL consultation is to collect questions and concerns that organisations and individuals may have in interpreting the GDPR and provide examples of best practices with regards to preparing for its implementation. Responses to the consultation will inform the discussion of the Art. 29 WP as it is due to issue guidelines on these topics.
In addition, this action represents the willingness of the CNIL to prepare in advance for the GDPR, and present itself as a leader across Europe in enabling a smooth transition into the new regulation.
The areas proposed for discussion:
Data Protection Officer ("DPO") requirements
- In what circumstances is one obliged to appoint a DPO?
- Who is qualified to be a DPO?
- In which instances and how can one share a DPO?
- How should one ensure that their DPO is appropriately resourced?
- What are the tasks and powers of a DPO?
- Other questions surrounding the DPO.
- What are the expected benefits of the new data portability rights?
- What are the limitations of data portability?
- In which formats can data be transferred and what practical issues are involved?
- Identify data portability issues relating to your industry.
- Other questions surrounding data portability.
Privacy Impact Assessments ("PIA")
- In what circumstances does one conduct a PIA? What is the scope of this obligation?
- How does one conduct a PIA and how does one assess risks to the rights and freedoms of the data subject?
- Who should be involved in conducting the privacy impact assessment and what responsibilities do they have?
- Other questions surrounding privacy impact assessments.
- Who issues certifications and what are the roles of the supervisory authorities and private certification bodies?
- Which products and services should be prioritised for certification?
- What are the specific needs of SMEs with regards to certification?
- How and when should a certification be revoked?
- Other questions surrounding certifications.
There is a fifth AOB section where organisations and individuals are invited to cover other topics and raise supplemental questions.
The consultation invites all relevant stakeholders to respond to the consultation and propose additional topics on which the Art. 29 WP could provide guidance. The consultation will be open until 15th July 2016. The CNIL will publish a summary of the contributions and launch a further consultation on new topics in the forthcoming months.
The consultation is available online.