As we enter 2017, 2018 doesn’t seem that far away…and with the new General Data Protection Regulation (GDPR) due to come into effect from 25 May 2018, organisations are running out of time to ensure compliance with the new data protection requirements. It is therefore not surprising that the Article 29 Working Party (“Working Party”) is already issuing guidance.

Here, we discuss the Working Party’s recent guidelines on:

  • The right to data portability
  • The role of the data protection officer (“DPO”)
  • The establishment of the lead supervisory authority

Data Portability

With the aim of providing greater control to users and consumers, the GDPR introduces the new right to data portability (article 20). The new right requires controllers to inform individuals about their right to data portability: the right to receive their personal data in a structured, commonly used and machine-readable format and to transmit them to another controller.

The guidance covers the following:

  • The main elements of data portability (including the right to receive personal data, the right to transmit personal data from one controller to another controller, and the impact of data portability on other rights under the GDPR)
  • When the right applies (i.e., the criteria which needs to be satisfied)
  • The need to inform individuals of the availability of the new right to data portability (articles 13 and 14)
  • How the portable data is to be provided (including expected data format, large and complex data sets and security of portable data)

The Working Party “encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats” to deliver these requirements.

Data Protection Officer (DPO)

Although the Working Party has not specified what professional requirements are necessary for the appointment of a DPO, it does stress that DPOs should have a level of expertise “commensurate with the sensitivity, complexity and amount of data an organisation processes”. The guidance also clarifies that a DPO will not be personally liable for any non-compliance with the GDPR.

In particular, the guidance covers:

  • Designation of a DPO (mandatory designation)
  • The position of the DPO (independence, necessary resources and conflicts of interests)
  • The tasks of the DPO (monitoring compliance with GDPR, data protection impact assessments, risk-based approach, and record-keeping)

Lead Supervisory Authority

The lead supervisory authority is the authority responsible for dealing with a cross-border data processing activity, which includes, for example, when an individual makes a complaint about how their personal data is being processed. The lead supervisory authority will manage any investigation which might include other supervisory authorities.

The recent guidance looks at how the main establishment is to be ascertained. The guidance provides:

  • The main establishment would typically be in the EU Member State where the organisation has its central administration; however, there may be instances where other establishments in the organisation have autonomy over decisions regarding the purposes and means of processing
  • The location of where these decisions are made would determine the ‘main establishment’. It is worth noting that there can be instances where more than one lead supervisory authority is identified

As May 2018 approaches…

It’s comforting to see that the Working Party is meeting its objectives set out in its action plan earlier last year, including issuing guidance to controllers and processors. This will enable organisations to have a firmer grasp of the required expectations regarding a number of rights and obligations under the GDPR. Also, the Working Party has said that it wants “to launch a permanent, regular consultation process” with businesses and civil society, which will allow the Working Party to observe whether its action plan is working.