The first set of guidance on specific aspects of the new General Data Protection Regulation has been adopted by the Article 29 Working Party, the group that represents the data protection authorities of all EU member states.
The Working Party has just adopted guidance on:
- Data Protection Officers
- The right to ‘data portability’
- The rules for identifying which data protection authority should be the ‘lead’ authority for controllers and processors operating in more than one member state
The guidance can be accessed at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083.
We expect that this guidance will be used by the UK ICO as the basis for the corresponding guidance that it has promised to publish by the end of the year.
This guidance is the first real attempt by regulators to start putting flesh on the bones of the GDPR and how it will be applied in practice so it is significant not only for what it says on these issues but also in terms of giving a feel as to how regulators are approaching GDPR regulation generally.
For the public sector, the Data Protection Officer guidance is particularly interesting because, having noted that GDPR does not define the concept of a ‘public authority’, the Working Party concludes that what is/is not a public authority for these purposes will be a matter for member states and national law.
In UK terms, it is not absolutely clear what that means but it could mean that any organisation which is currently caught by the likes of the freedom of information or public procurement regimes will fall to be treated as a public authority for GDPR.
In consequence, not only will it be mandatory to appoint a data protection officer but also other GDPR provisions specific to public authorities will also apply – notably the exclusion of the right to rely on the ‘legitimate interests’ condition for processing.