Privacy & Information Security Law Blog

On October 7, 2016, the Article 29 Working Party (the “Working Party”) published a summary of the discussions that took place at its “Fablab” workshop entitled GDPR/from concepts to operational toolbox, DIY, which took place on July 26, 2016, in Brussels.

The Fablab workshop gathered more than 90 participants, including 40 representatives from data protection authorities, to discuss certain operational and practical issues linked to the EU General Data Protection Regulation (“GDPR”) with representatives of industry, civil society, academics and relevant associations. The objective of the workshop was for the Working Party to develop, by the end of this year, best practices and guidelines for the implementation of the GDPR, in particular with respect to the following topics:

• Data Protection Officer (“DPO”). The participants discussed the need for a flexible interpretation of the criteria that will trigger the obligation for a data controller to appoint a DPO, the requirements regarding the designation of the DPO, conflicts of interests and the main duties of the data controller or data processor regarding the DPO. Amongst other topics, the participants of the Fablab discussed the following points:
  • the location of the DPO (i.e., whether the DPO can be located outside of the EU);
  • the nature of the DPO’s liability (i.e., civil or criminal liability); and
  • whether a company that has voluntarily appointed a DPO should be subject to the provisions of the GDPR applicable to DPOs.
• Data Portability. The participants discussed several general concerns with respect to this newly introduced right; in particular:
  • the scope of the data portability right (i.e., which types of personal data are covered by such right);
  • the degree of investment that is expected from data controllers to comply with such right;
  • the types of data that individuals would be most interested in; and
  • how to ensure interoperability between systems to allow data controllers to share personal data between them.
• Data Protection Impact Assessment (“DPIA”) Risks. The participants discussed the risks and benefits of DPIAs, and called for greater clarity on the circumstances in which a DPIA is required.
• Certification. The discussion focused on the four essential elements of the certification mechanisms under the GDPR; in particular:
  • The most relevant models to develop privacy certification mechanisms in the EU. The participants agreed that, ideally, there should be a uniform and well-known European certification scheme guaranteeing the level of uniformity and high standards.
  • The accreditation procedure and the roles and obligations of accreditation and certification bodies, as well as data protection authorities.
  • The main elements of a certification scheme, including a common and transparent level of evaluation and a clear focus on privacy instead of IT security.
  • An effective and meaningful certification procedure. The participants discussed potential threats and recommended procedures for mitigation of these threats with respect to the certification mechanism (e.g., consequences of a failure to certify).

The Working Party will organize another FabLab workshop in 2017 to discuss other operational and practical issues relating to the implementation of the GDPR.