Two months before the new data protection rules set out in the General Data Protection Regulation (GDPR) become applicable, the European Data Protection Supervisor (EDPS) has published two new sets of Guidelines. The Guidelines provide advice to the EU institutions on how to adapt to this new chapter in EU data protection, which is notable for the emphasis it places on the principle of accountability.
The Guidelines address data protection requirements for the management and governance of IT infrastructure in general, and for cloud computing services specifically. They build on the principles enshrined in the GDPR, which will apply in the Member States from 25 May 2018.
Wojciech Wiewiórowski, Assistant EDPS, said: “When we published our Strategy for the current mandate in 2015, we made readiness for the GDPR one of our top priorities. We are contributing to this target through our work with the EU institutions, as well as through our preparation of the EDPB secretariat. I am glad to see that we are on track with our efforts, and look forward to the completion of discussions currently underway between the European Parliament and the Council to finalise the new rules for the EU institutions.”
The legislative process for the revision of data protection rules for EU institutions is not yet complete. For this reason, the EDPS Guidelines use the data protection model outlined in the GDPR as a reference. However, the EDPS recommends that all institutions already start to take the new concepts, such as data protection by design and by default, outlined in the Guidelines into account, as the approach they advocate has already been agreed by the legislator.
These guidelines complement the efforts made by the EDPS over the last couple of years to prepare the EU institutions, agencies and bodies for the revised data protection rules. This includes an extensive set of Guidelines on operational and technological matters, as well as a campaign of accountability visits aimed at top management in EU institutions and agencies and an ongoing series of training events for EU staff at all levels.
The EDPS remains committed to promoting effective data protection in the EU institutions and will continue his efforts to do so. He fully supports the idea that the EU public sector should make use of the newest technological developments, in order to ensure that EU administration is both efficient and transparent. Our Guidelines aim to show how this can be done while remaining compliant with fundamental rights, and to clearly identify where there are limits which need to be respected.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
The guidelines for IT management and IT governance explain how to take data protection requirements, such as those on data protection by design and by default, into account in the development and operation of IT systems, and how the IT governance of an organisation can be established in compliance with the accountability principle.
The cloud computing guidelines provide an analysis of the specific risks to personal data in a cloud computing environment and address procedures and legal, technical and organisational measures to manage these risks adequately. Particular attention is given to requirements in public procurement processes.
In the preparation of the guidelines, the EDPS consulted data protection, IT and security experts and managers in the EU institutions and took several hundred comments and suggestions into account.
EU Data Protection Reform package:
On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:
• a general Regulation on data protection which was adopted on 24 May 2016, applicable as of 25 May 2018; and
• a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.
The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU). Member States have two years to ensure that they are fully implementable in their countries by May 2018.