Ahead of the forthcoming General Data Protection Regulation
(GDPR), the Article 29 Working Party earlier this year organised
the Fablab workshop.
Meeting in Brussels, more than 90 participants gathered to
discuss certain operational and practical issues linked to the GDPR
with representatives of industry, civil society, academics and
Fablab's objective was to generate a discussion that would
feed into the Article 29 Working Party's best practices and
guidelines due out at the end of the year. Four components of the
GDPR were prioritized:
Data Protection Officer (DPO)
A discussion was conducted on the role of the DPO, which
included, for example: (i) the interpretation of when a DPO should
be appointed; (ii) conflicts of interests; and (iii) the main
duties of the controller or processor regarding the DPO.
While large-scale operations would appoint a DPO, it was
recognised that SMEs could make such an appointment unaffordable.
Providing assistance to SMEs through sectorial associations was
tabled as one solution.
The panel identified the main stakeholders involved in data
portability and, for example, the: (i) scope of the data
portability right (i.e., which types of personal data are covered);
(ii) costs/burdens on controllers to ensure compliance; and (iii)
interoperability between systems to allow data to be shared between
controllers in different formats.
The panel also took a closer look at the words "provided
by" at Article 20 and agreed that it included data published
by individuals on social media services, and would likely include
raw transactional data, as well as data generated by the Internet
of Things devices (such as data from fitness trackers).
Data Protection Impact Assessment (DPIA)
The participants discussed benefits and risks of DPIAs, and
requested greater guidance on how DPIAs should be produced, in
particular, those concerning a pan-European dimension.
Various topics were discussed, but in particular: (i) the value
of maintaining a uniform, well-known European certification scheme
to generate trust; (ii) the need to clarify the relationship
between data protection authorities and national accreditation
bodies; (iii) main elements for a certification scheme, with a
common or transparent level of evaluation that is focused on data
protection and not on IT security; and (iv) discussion of potential
threats and concerns, and ways to mitigate such threats/concerns.
For example, participants discussed what should happen should the
company fail to meet the requirements.
Fablab was well received, and discussions are underway regarding
another Fablab workshop for 2017 to discuss further operational and
practical issues relating to the GDPR's implementation.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).