Preparing DPOs to lead by example: DPO-EDPS meeting in Tallinn

Wojciech Wiewiórowski

The 41st meeting between the EDPS and the DPOs from the EU institutions and bodies took place yesterday at the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA), in Tallinn.

I would like to congratulate eu-LISA for hosting what proved to be another very successful event. Our twice-yearly meetings with the DPOs are an invaluable opportunity to reinforce collaboration with our data protection partners, and are integral part of preparations for the new data protection rules.  

With just under a year left until the new data protection framework becomes fully applicable, our focus in Tallinn was on ensuring that the EU institutions and bodies have the knowledge and resources needed to lead by example in their application of data protection law.

One of the main topics of discussion was the issue of individuals’ rights under the revised Regulation on data protection. The General Data Protection Regulation (GDPR) aims to strengthen the rights of data subjects through, for example, explicitly establishing the right of individuals to erasure of their data and to data portability. It should come as no surprise that the proposed Regulation for EU institutions and bodies aims to do the same.

As the revised Regulation is yet to be finalised, it is too early to know or discuss the specificities and potential pitfalls involved in implementing it. We were, however, able to introduce DPOs to the specific data subject rights outlined in Chapter III of the current proposal and address some of the potential challenges they should prepare for.

Another area in which the revised Regulation is expected to follow the lead of the GDPR, is in the documentation of processing activities. DPOs will have to keep a record of all processing activities and, in some cases, will have to conduct Data Protection Impact Assessments (DPIAs) or request a prior consultation from the EDPS.

At our meeting in Alicante in late 2016 we began discussing the implications and practicalities of DPIAs in preparation for this change. Since then, we have continued to provide guidance on how to organise the documentation of data processing activities and conduct DPIAs. In Tallinn we developed the discussion further, dedicating a workshop to the topic and using case studies to illustrate when a DPIA might be required.

We are also working on a very practical guidance document on how to make these new obligations for documentation work in practice. Our aim is to provide a ready-to-use toolkit for the EU institutions, incorporating templates, checklists and forms, which can be adapted to their specific needs.

The afternoon session in Tallin was dedicated to accountability, one of the GDPR’s key principles and a central focus of EDPS work with the institutions. 

Accountability requires the institutions to be able to demonstrate their compliance with data protection rules. With this in mind, the EDPS DPO presented a draft working tool table, developed to help ensure accountability at the EDPS. DPOs were then asked to reflect on their own strategy to ensure accountability in their institution, and to determine five priorities. This proved to be a challenging but productive exercise for all DPOs, encouraging them to think ahead and exchange views on their institutional needs and priorities for demonstrating compliance.

The next meeting between the EDPS and the DPO network will be hosted by EMA in London.  In the meantime, the EDPS will continue to work closely with our DPO partners and provide them with more guidance on transparency, rights and obligations, to make sure that they are ready when the new rules come into force.