On 5-6 April 2017 WP29 hosted a Fab Lab workshop in Brussels to prepare for the timely and proper implementation of the GDPR This consisted of stakeholder workshops on a range of GDPR topics before European business association representatives, privacy groups and consumer groups. The Fab Lab's objective was to provide information to WP29, so it may develop best practices and guidelines by the end of the year. Discussions were centred around the following topics:
1) the criteria and practical aspects of a valid consent;
2) data breach notifications made to data protection authorities (such as the ICO) and to individuals and;
3) the criteria and conditions for decisions based on profiling.
On the topic of consent, clarification was requested about the definition of "informed" consent, and clarification on the status of existing consents and how to manage consents for more than one purpose. Further guidance was also requested about how to manage consent in situations where joint controllers involved.
For data breaches, concerns were raised about fulfilling obligations, avoiding reputational issues, dealing with incomplete notifications, and the possibility to name the processor responsible for the breach. Guidance was also requested on the 72 hours deadline with reference to when the clock starts ticking.
Regarding profiling, guidance was requested for automated decision-making, limitations to the data that can be used, and what information should be included in a privacy notice and disclosed under a data subject access request. Issues were raised in relation to organisational accountability and responsibility, and ethical concerns were raised about the ethics of profiling in relation to children.
Organisations should review the ongoing feedback from these stakeholder meetings, to consider the issues that businesses are raising before WP29.
The short report from the ICO can be accessed here.
A summary of the discussions from WP29 can be accessed here.