The EU GDPR goes into effect in May, 2018. While that may seem far away, for many organizations the changes required to become compliant with the new law will take several quarters to implement. Some of the larger changes required will deal with the new “Right to Data Portability”, Identifying a lead supervisory authority, and appointing a “Data Protection Officer.”
The Article 29 Working Party (WP29) has just released guidance on these three requirements. The guidance is summarized below, along with links to the full documents.
Article 20 provides data subjects with the right to data portability. The WP29 opinion on this Article helps data controllers understand what their obligations are and provides best practices and tools to help meet compliance obligations for this requirement.
If your organization conducts cross-border data processing, or is unsure whether it does, this guidance provides examples, key concepts to identifying a key supervisory authority, and even questions to guide the identification of the lead supervisory authority.
WP29 helped clarify some terms used in Article 37(1), which lists the situations where a DPO would be required:
a) where the processing is carried out by a public authority or body
WP29 guides that “such a notion is to be determined under national law.”
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
WP29 clarified that “core activities” means “key operations necessary to achieve the controller’s or processor’s goals” or in other words “an inextricable part of the controller’s or processor’s activity.”
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. While clarification on what “large scale” means is summarized below, WP29 also gave guidance on the meaning of “Regular and Systematic Monitoring” as well as the expertise and skills that a DPO should possess.
These factors should be considered when determining whether the “large scale” threshold is met:
– The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
– The volume of data and/or the range of different data items being processed
– The duration, or permanence, of the data processing activity
– The geographical extent of the processing activity
This blog post highlights some of the guidance issued by WP29, but the full documents contain additional insight and helpful examples. To learn more about TRUSTe EU GDPR solutions, or to speak with a consultant, contact us.