Embarking on a challenging journey towards the new Regulation: the 43rd DPO-EDPS meeting

Wojciech Wiewiórowski

To mark the forthcoming adoption of the revised data protection rules for EU institutions and bodies, the EDPS welcomed 120 DPOs and assistant DPOs to Brussels today, where we invited them to board the EDPS ship and embark on a challenging journey towards ensuring compliance with the new Regulation.

The 43rd DPO meeting took place at an important time for the EU institutions and data protection in general: last week, the new General Data Protection Regulation (GDPR) became fully enforceable and the Council announced a political agreement with the European Parliament on corresponding rules for EU institutions and bodies. With these new rules set to come into force later this year, the EU institutions have a challenging few months ahead if they are to ensure compliance. As their supervisory authority, it is the job of the EDPS to make this journey towards the new Regulation smooth sailing and today’s meeting played a vital part in this.

Such an important voyage could not begin without a word from today’s Captain. In my role as Assistant Supervisor, I welcomed all aboard the EDPS ship by stressing the importance of the GDPR as the beginning of a new era in EU data protection. The EDPS is at the heart of this historic change, setting up the secretariat of the newly established European Data Protection Board, among other things. I also emphasised the importance the new rules place on the principle of accountability. We have been working closely with DPOs to ensure that they will be ready for the challenges of the revised Regulation, with a specific focus on ensuring that they are not only compliant with the new rules but also able to demonstrate this compliance.

The welcome talk over, it was time for the EDPS crew to put the ship’s passengers to work! Our Head of Supervision and Enforcement got things started by asking DPOs to reflect on what about the new Regulation had them feeling seasick, and what had the wind in their sails. Each was then requested to put a message in a bottle detailing the main point they would like to convey to their management about the new rules. 

The next stop on our data protection journey was to address some of the new obligations the EU institutions and bodies will have to comply with in their role as data controllers. Following an overview of recent case law on the subject, we invited DPOs to reflect on and apply the data protection requirements set out in the EDPS Guidelines for IT management and IT governance in the development and operation of IT systems. Our Navigating Officer from the EDPS IT Policy team encouraged all passengers to put these Guidelines into practice by navigating their way through a specific case study, in which they were also required to take into account the concept of data protection by design.

Under the new Regulation, data protection impact assessments (DPIAs) will be a new port of call for any proposed processing of personal data considered high risk, such as those involving large amounts of health data. Building on the work of previous DPO meetings in Alicante, Tallinn and London, at today’s meeting, we tasked DPOs with analysing the possible risks and control measures associated with a specific case study. While DPIA waters remained largely uncharted up until just a few years ago, DPOs can now rely on the EDPS Accountability on the Ground toolkit for help in navigating this part of the seven seas. An updated version of this toolkit, taking into account the rules agreed upon by the European Parliament and Council last week, will be published in the near future.

Before we reached the last stop on today’s voyage, I took the opportunity to sound the alarm on the topic of social media and micro-targeting. Referring to the recent case involving Facebook and Cambridge Analytica, I drew attention to the EDPS Opinion on online manipulation, alerting our passengers to the fact that any kind of profiling can easily become psychological profiling, which aims at manipulating people without them knowing it.

Navigating our way to compliance with the new Regulation is exciting. Nevertheless, there is always a danger that our ship might run aground if DPOs fail to keep a constant eye on the ship’s radar. Highlighting this risk was the aim of the last case study of today’s voyage, which focused on a notification submitted to the EDPS by an EU institution on a proposal to process data on how internet users perceive and speak about the institution on social media. An external contractor would be in charge of extracting the different likes, posts, shares, and comments of the users, and would provide them as aggregated data to the EU institution to draw up a report, with the purpose of improving its communication and reputation. DPOs were tasked with addressing specific questions on the lawfulness of the proposal, the contract with the external contractor, and data access rights, among other things, helping them to prepare for similar cases they might have to address in their own institutions.

It was up to the EDPS Director to bring our ship into port, by sharing the message in a bottle that each DPO had submitted at the beginning of the day. 120 DPOs and assistants then joined the crew back on dry land to enjoy the Captain’s cocktail, having successfully reached our final destination for the day.

The meeting in Brussels was a challenging but productive exercise for all DPOs, encouraging them to think ahead and exchange views on their institutional needs and the actions required to ensure, verify and demonstrate compliance.

I strongly believe that by the time the next DPO-EDPS meeting takes place, the new Regulation for EU institutions and bodies will already be in force. With this in mind, we plan to continue to work closely with our DPO partners over the coming months in order to provide them with the guidance and support necessary to prepare for the challenges ahead.