Accountability in practice: Preparing for new data protection rules in the EU institutions

Wojciech Wiewiórowski

25 May 2018 is not only GDPR day.

It is also scheduled to be the day on which a new Regulation (the new 45) governing data processing by the European Institutions, Bodies and Agencies (EUIs), will become applicable, replacing the current Regulation (EC) No. 45/2001.

The EUIs not only employ about 60 000 staff, they also process a lot of personal information. The European Medicine Agency (EMA) analyses reports on the adverse effects of medicines as part of its pharmacovigilance role, eu-LISA is the managing authority for several large-scale IT systems, such as the Visa Information System, and the European Anti-Fraud Office (OLAF) investigates allegations relating to the misuse of EU funds. These are just three examples of the many data processing operations going on in the EUIs every day.  

A new Regulation for data protection in the EUIs: the guiding principles

The new 45 will align the rules for EUIs with those that will apply to organisations processing personal data (controllers) in the Member States, under the GDPR. However, having data protection rules on the statute book is only one part of the story: for the new law to be effective, controllers need to be aware of their obligations and have a plan to put them into practice.

The main changes introduced by the new rules revolve around three key principles: accountability, a risk-based approach and data protection by design and by default.

Accountability means that it is the responsibility of the controller not only to comply with the new rules, but also to be able demonstrate how their processes comply with these rules. It is not a new concept, but is more prominent under the new rules.

Adopting a risk-based approach means ensuring that the amount of thought and effort that goes into ensuring compliance is comparable with the risks associated with each processing operation. For example, the documentation requirements for the management of subscribers to an EUI’s newsletter will be more limited than that required for an exclusion database for tenderers.

Data protection by design and by default is a way of ensuring compliance. It requires controllers to think about how to address data protection requirements and limit the impact of data processing operations on fundamental rights from the beginning, when designing these processes. This ensures that any potential compliance issues are discovered and addressed efficiently, at an early stage.

However, in order to be effective, these guiding principles must be translated into action.

Accountability meetings and training for EUI staff

In order to raise awareness on these points, I travelled to Luxembourg with some of my staff earlier this week. We met with management representatives of the European Parliament, the European Investment Bank, the European Investment Fund and the Consumers, Health, Agriculture and Food Executive Agency (CHAFEA). In each of these meetings, we explained the main changes introduced by the new 45 and how to prepare for them. These meetings were aimed at upper management: as with any compliance effort, those at the top set the tone.

However, even if management sets the tone, all staff need to know about the rules. That is why we also organised two training sessions aimed at staff from all Luxembourg-based EUIs.

In total, more than 200 staff members attended the sessions. We provided an overview of both the current rules and the rules under the new 45, as well as walking staff through their obligations when processing personal data and their rights when their data is processed by EUIs. At the end of each session, we had a lively question and answer session, one of which was recorded and web-streamed. I encourage you to take a look!

A special thank you to the European Court of Auditors, who graciously hosted us for the two sessions.

More sessions are scheduled to take place in Brussels over the coming months. We will also be publishing further guidance documents for controllers and Data Protection Officers (DPOs) in the EUIs, based on the new 45 and its specificities. Since the principles behind the new 45 are the same as in the GDPR, these documents might also serve as inspiration for organisations outside the EU bubble. Our paper on information requirements under the new 45 is a good example of this.

The applicability of the new rules for EU institutions

We must address the elephant in the room: It is possible that the new 45 will not be applicable from 25 May 2018, as originally intended, but slightly later. This is due to unforeseen complications encountered in negotiations on the new rules between the European Parliament and the Council (see Giovanni Buttarelli’s blogpost from 22 January 2018).

Regardless, the EUIs must continue their efforts to prepare for the new rules. This is important for several reasons:

  • It is still possible that the new 45 will apply from 25 May 2018. Should this happen, all new legal obligations will become applicable that very day and the EUIs must be ready to comply with them immediately;
  • Any delay is likely to be short, so keeping to the current schedule is the best course of action to ensure that the EUIs are ready on time;
  • The parts of the legislation that could delay the process will not affect most of the EUIs directly. On topics such as documentation, data subject rights, data processors, data breach notifications and security, the text appears to be stable, meaning that the EUIs can continue their preparations according to schedule.

The bottom line is this: it is a lot better to err on the side of caution and be ready for 25 May 2018 than to be caught unprepared.

Our efforts will certainly not slow down. Both in our role as a supervisor for the EUIs, involved in preparing guidance and adapting our internal procedures, and as a controller, getting our own documentation ready to demonstrate accountability, we will keep to schedule. The EDPS will be ready for the new rules on 25 May 2018; the EUIs must make sure that they are too.