Data Protection Officers (DPO) from the EU institutions and bodies met today in London at the 42nd meeting of the Network of DPOs, which was hosted by the European Medicines Agency (EMA).
This successful event created an excellent opportunity for EDPS to meet with DPOs, our data protection partners, and to exchange practical experiences. Today we continued our preparation path towards the implementation of the revised Regulation (EC) 45/2001 for the EU institutions and bodies.
One of the topics of discussion was our revised paper on the role of the DPOs in ensuring compliance with the revised Regulation (EC) 45/2001. We highlighted the important role of the DPOs as an internal ally and expert within their organisation; the controllers should consult them properly before a processing operation is launched. We had a fruitful exchange of views with the DPOs about their perception of the revised role of the DPOs, namely the positive and/or negative challenges they need to face under the mandate of the new legal framework.
One of the key principles of the proposed Regulation is the principle of accountability, which requires EU institutions and bodies to ensure, verify and demonstrate compliance. In Tallinn, the EDPS DPO presented a draft working tool table, developed to help ensure accountability at the EDPS. DPOs were then asked to reflect on their own strategy to ensure accountability in their institution, and to determine five priorities. Today, the DPO of EIF presented how a pilot project on accountability has been implemented within his organisation. Following this initiative, we dedicated a specific brainstorming session on the concrete actions, which the DPOs would propose to the top management of their institution for a smooth transition to the proposed Regulation. This exercise proved to be particularly challenging as it depends on the size of the EU institution and body. The message transmitted was that there is no grace period for updating their privacy statements and contracts as well as keeping records with their revised notifications.
Indeed, one of the tools in implementing accountability under the proposed Regulation is that controllers are required to keep a record of all processing activities and, in some cases, will have to conduct Data Protection Impact Assessments (DPIAs) with the DPO’s advice or request a prior consultation from the EDPS. In Tallinn, we dedicated a workshop to the topic using case studies to illustrate when a DPIA might be required. Today, in the afternoon session, we developed the discussion further in light of the EDPS’ very practical guidance on how to document the new obligation of a DPIA in practice. The DPOs were invited to work on a specific case study on a processing operation which required a DPIA; they were required to guide the project owner of the processing operation reflecting on some guiding questions from the EDPS paper, for example on fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security.
The EDPS IT Policy sector completed the meeting with a session on data breach notifications. With the new Regulation, which is currently in the legislative process, the obligation to notify personal data breaches to the supervisory authority and to inform data subjects will also apply to EU institutions and bodies. The EDPS discussed with the DPOs their views on possible procedures, and presented draft guidance, which was recently submitted for consultation by the Article 29 Working Party.
The meeting in London was a challenging but productive exercise for all DPOs, encouraging them to think ahead and exchange views on their institutional needs and concrete actions for demonstrating compliance. Until the next meeting, the EDPS will continue to work closely with our DPO partners and provide them with more guidance on transparency, rights and obligations, to make sure that they are ready when the new rules come into force.