Ahead of the forthcoming General Data Protection Regulation (GDPR), the Article 29 Working Party earlier this year organised the Fablab workshop.

Meeting in Brussels, more than 90 participants gathered to discuss certain operational and practical issues linked to the GDPR with representatives of industry, civil society, academics and relevant associations.

Fablab’s objective was to generate a discussion that would feed into the Article 29 Working Party’s best practices and guidelines due out at the end of the year. Four components of the GDPR were prioritized:

Data Protection Officer (DPO)

A discussion was conducted on the role of the DPO, which included, for example: (i) the interpretation of when a DPO should be appointed; (ii) conflicts of interests; and (iii) the main duties of the controller or processor regarding the DPO.

While large-scale operations would appoint a DPO, it was recognised that SMEs could make such an appointment unaffordable. Providing assistance to SMEs through sectorial associations was tabled as one solution.

Data Portability

The panel identified the main stakeholders involved in data portability and, for example, the: (i) scope of the data portability right (i.e., which types of personal data are covered); (ii) costs/burdens on controllers to ensure compliance; and (iii) interoperability between systems to allow data to be shared between controllers in different formats.

The panel also took a closer look at the words “provided by” at Article 20 and agreed that it included data published by individuals on social media services, and would likely include raw transactional data, as well as data generated by the Internet of Things devices (such as data from fitness trackers).

Data Protection Impact Assessment (DPIA)

The participants discussed benefits and risks of DPIAs, and requested greater guidance on how DPIAs should be produced, in particular, those concerning a pan-European dimension.


Various topics were discussed, but in particular: (i) the value of maintaining a uniform, well-known European certification scheme to generate trust; (ii) the need to clarify the relationship between data protection authorities and national accreditation bodies; (iii) main elements for a certification scheme, with a common or transparent level of evaluation that is focused on data protection and not on IT security; and (iv) discussion of potential threats and concerns, and ways to mitigate such threats/concerns. For example, participants discussed what should happen should the company fail to meet the requirements.

Fablab was well received, and discussions are underway regarding another Fablab workshop for 2017 to discuss further operational and practical issues relating to the GDPR’s implementation.