The closing weeks of 2016 saw the publication of guidance notes on the GDPR by both the Article 29 Data Protection Working Party (the advisory body comprising representatives from each of the European Data Protection Authorities) and the Irish Data Protection Commissioner.
The WP29 has published three sets of guidelines and FAQs on specific aspects of the GDPR - the right to data portability, data protection officers, and identifying a controller or processor’s lead supervisory authority. The Irish Data Protection Commissioner has produced general guidelines to assist organisations in preparing for the GDPR.
Article 29 Data Protection Working Party (“WP29”) Guidelines
Right to data portability
Article 20 of the GDPR creates a new right to data portability, which allows data subjects to receive the personal data they have provided to a data controller and to have such data transmitted to another data controller.
In its guidelines, the WP29 clarifies a number of aspects of this right. Of particular interest is the guidance around the types of personal data falling within the scope of the right. Data subjects will have a right to data they have “provided to a controller”, which, the WP29 indicates, should be interpreted broadly, to cover not only data actively provided by the data subject (eg by filling in user account details) but also the personal data generated through user activities (eg traffic or location data). Only “inferred data” and “derived data” (eg personal data generated by the service provider such as algorithmic results) should be excluded from a portability request. It is also worth noting that only electronic data (and not paper files) will fall within the scope of the right.
While the GDPR does not require the data to be provided in any particular format, the WP29 clarifies that it should be provided in a format which allows data subjects to move the data easily from one IT environment to another. The WP29 recommends that data controllers develop tools to allow data subjects to directly download the data and/or directly transmit the data to another data controller, for example via an API.
Data Protection Officers (“DPOs”)
Under Article 37(1) of the GDPR, certain organisations are required to designate a DPO. These are public authorities or bodies, and organisations that as a core activity monitor individuals systematically and on a large scale, or that process special categories of data on a large scale.
The WP29 provides some guidance in relation to the terminology used in Article 37(1). It clarifies, for example, that: the concept of a “public authority or body” should be determined under the relevant national law; “core activities” should be interpreted as key operations which are necessary to achieve the organisation’s goals, or activities where the processing of data forms an inextricable part of the organisation’s core activity (eg a hospital which processes patients’ health records as part of its core health care function); and “large scale” relates, amongst other things, to the number of data subjects concerned and the volume or range of data being processed.
The WP29 does not provide specific guidance in relation to the professional qualifications that an organisation should seek in a DPO, but notes that the level of expertise must be commensurate with the sensitivity, complexity and amount of data an organisation processes. The WP29 also indicates that a DPO cannot hold a position within an organisation that might conflict with his/her position as DPO. The function of the DPO may, however, be carried out by an external service provider.
The WP29 emphasises that it is the controller or the processor (and not the DPO personally) that remains responsible for compliance with data protection law.
Identifying a controller or processor’s lead supervisory authority
The GDPR’s so-called “One Stop Shop” principle envisages that the supervision of cross border processing should be lead by one supervisory authority known as the “lead supervisory authority”.
In these guidelines, the WP29 provides some guidance on determining whether cross-border processing of personal data is taking place, and on determining an organisation’s “main establishment” or “single establishment” in the EU in the context of designating a lead supervisory authority.
The WP29 notes that, in certain cases, there can be more than one lead supervisory authority (eg where a multinational company has separate decision making centres in different countries for different processing activities).
The WP29 emphasises, however, that the GDPR does not permit “forum shopping” in this regard. It seems that organisations will need to be able to effectively demonstrate that decisions about data processing are, in fact, implemented in the jurisdiction of the designated lead authority or authorities.
Irish Data Protection Commissioner (“ODPC”) Guidance
The ODPC’s guidance, entitled “The GDPR and You – Preparing for 2018”, acknowledges that organisations have concerns in relation to the increased obligations and potential penalties under the GDPR. In light of this, the guidance sets out 12 initial steps that organisations should implement, with a view to becoming GDPR-ready.
These steps include ensuring awareness of the GDPR across the organisation, making an inventory of personal data held and processed, reviewing and updating privacy notices and procedures, and considering whether a Data Protection Officer or “DPO” will need to be appointed.
The ODPC’s guidance emphasises that organisations must not wait until May 2018 to think about implementing the GDPR, but will need, as highlighted in our previous article here, to begin now to “spring clean” their privacy policies and procedures.