Information on the latest guidance
By Natasja Bolton, Senior Acquirer Support QSA
The EU’s General Data Protection Regulation, or GDPR for short, will come into force across all EU Member States from 25th May 2018. GDPR will affect the processing and movement of the personal data of approximately 500 million citizens. With the potential to impact globally as it applies to any company that offers goods and services to, or monitors the behaviour of, citizens of EU Member States. This means businesses based outside the EU, such as those in the U.S. or Canada, will also be impacted by this EU Regulation if they carry out these activities. With this in mind and now with only 13 months to go before the new regulation comes into force, we analyse the guidance that has been issued by the EU and Supervisory Authorities so far.
Guidance from the EU Article 29 Data Protection Working Party
In December 2016, the EU’s Article 29 Data Protection Working Party (WP29) adopted guidelines on the following topics. Note these documents are still open for comments and hence are considered ‘pre-adopted’.
The right to data portability
This is one of the new rights introduced with GDPR primarily intended to make it easier for a data subject to move from one service provider to another. This right requires the data controller to provide the data subject with the personal information that was knowingly and actively provided to them, in a structured, commonly used and machine readable form. In addition, the controller can be required to transmit the personal data directly to another controller.
On Data Protection Officers
Some Data Controllers and Data Processors are required to designate a Data Protection Officer: public authorities; those carrying out systematic monitoring of individuals on a large scale; and, those processing special categories of data or data relating to criminal convictions and offences on a large scale.
On identifying a controller or processor’s lead supervisory authority
GDPR introduces the ‘one-stop-shop’ principle, whereby businesses operating across multiple EU member states and carrying out cross-border processing activities or processing involving citizens of more than one EU country need only identify and engage with one data protection regulator – their lead supervisory authority.
Further WP29 Guidance
WP29 intends to produce guidance and associated FAQs on:
- Administrative fines
- High risk processing and Data Protection Impact Assessments
- Notification of personal data breaches
- Tools for international transfers
This guidance will be published here
Pre-adopted guidance on Data Protection Impact Assessments (DPIAs) is expected in April 2017, with Certification guidance expected in June 2017.
Guidance so far published by EU Data Protection Authorities
Not all countries in the EU have published guidance yet, below we highlight some of the data protection authorities that have.
UK Information Commissioner
The source of all GDPR knowledge and guidance from the UK Information Commissioner’s Office (ICO) is their Overview of the GDPR.
This page is a ‘living document’ and will be regularly updated as other ICO information EU guidance is published.
The ICO published draft guidance on Consent in GDPR on 2nd March 2017. Final publication of the guidance is due in May 2017.
With the GDPR, consent should now be “given by a clear affirmative act” as a freely given, specific, informed and unambiguous indication of the individual’s agreement to the processing. This is a higher standard of consent than was previously required. The ICO’s guidance provides a recommended approach when consent is the processing condition relied upon by the data controller.
Further ICO Guidance
The ICO aims to publish guidance on the following topics early in 2017:
- Contracts and liability
The first half of 2017 should also see the ICO published guidance or discussion papers on other areas such as profiling, risk and children’s personal data.
Ireland Office of the Data Protection Commissioner
The Ireland Data Protection Commissioner (DPC) has created a GDPR page which will collate all current guidance. The DPC will publish additional GDPR related guidance, as appropriate, on this page.
The DPC’s introductory document on preparing for GDPR can be found here.
Spanish Supervisory Authority
Spanish Supervisory Authority has recently published a number of documents to assist organisations with meeting the requirements of the GDPR.
Find the links to other Data Protection Authority who may publish their own GDPR guidance on this EU site.
Guidance for companies outside of the EU
- The American Bar Association has published an article on GDPR from the U.S. perspective.
- MacMillan, a Canadian Law Form, has published a guide to GDPR for Canadian Businesses.
- International Law Firm DAC Beachcroft has published guidance applicable to all businesses based outside the EU.
No guidance appears to be planned on a data controller and data processor’s obligation to ‘implement appropriate technical and organisational security measures to protect Personal Data’ required by GDPR Article 32: Security of processing.
Therefore, organisations should review in detail the expectations of Article 32 which sets out controls and security measures that may be necessary ‘to ensure a level of security appropriate to the risk’. Data controllers and processor need to ensure that personal data is appropriate secured in line with these expectations and obligations.
The controls include:
- Pseudonymisation (explained by the DPC here) and encryption of the Personal Data;
- Measures to maintain the security of the information systems (which includes ensuring the confidentiality, integrity, availability and resilience of systems and services);
- Use of back-ups and disaster recovery to maintain availability and access to the Personal Data;
- Regular testing and assessment of the effectiveness of the security measures, both technical and organisational.
Want to know more? Read our previous article and factsheet: