Ahead of the forthcoming General Data Protection Regulation
(GDPR), the Article 29 Working Party earlier this year organised
the Fablab workshop.
Meeting in Brussels, more than 90 participants gathered to
discuss certain operational and practical issues linked to the GDPR
with representatives of industry, civil society, academics and
Fablab's objective was to generate a discussion that would
feed into the Article 29 Working Party's best practices and
guidelines due out at the end of the year. Four components of the
GDPR were prioritized:
Data Protection Officer (DPO)
A discussion was conducted on the role of the DPO, which
included, for example: (i) the interpretation of when a DPO should
be appointed; (ii) conflicts of interests; and (iii) the main
duties of the controller or processor regarding the DPO.
While large-scale operations would appoint a DPO, it was
recognised that SMEs could make such an appointment unaffordable.
Providing assistance to SMEs through sectorial associations was
tabled as one solution.
The panel identified the main stakeholders involved in data
portability and, for example, the: (i) scope of the data
portability right (i.e., which types of personal data are covered);
(ii) costs/burdens on controllers to ensure compliance; and (iii)
interoperability between systems to allow data to be shared between
controllers in different formats.
The panel also took a closer look at the words "provided
by" at Article 20 and agreed that it included data published
by individuals on social media services, and would likely include
raw transactional data, as well as data generated by the Internet
of Things devices (such as data from fitness trackers).
Data Protection Impact Assessment (DPIA)
The participants discussed benefits and risks of DPIAs, and
requested greater guidance on how DPIAs should be produced, in
particular, those concerning a pan-European dimension.
Various topics were discussed, but in particular: (i) the value
of maintaining a uniform, well-known European certification scheme
to generate trust; (ii) the need to clarify the relationship
between data protection authorities and national accreditation
bodies; (iii) main elements for a certification scheme, with a
common or transparent level of evaluation that is focused on data
protection and not on IT security; and (iv) discussion of potential
threats and concerns, and ways to mitigate such threats/concerns.
For example, participants discussed what should happen should the
company fail to meet the requirements.
Fablab was well received, and discussions are underway regarding
another Fablab workshop for 2017 to discuss further operational and
practical issues relating to the GDPR's implementation.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).