We’ve looked in earlier alerts at the progress of the EU General Data Protection Regulation (known by some as GDPR) which is getting closer to becoming law.
The Article 29 Data Protection Working Party (“WP29”) recently issued an official statement setting out its action plan for the implementation of the GDPR. EU political agreement was reached on the GDPR in December 2015 – we reported on that last month in our updated FAQs and film, both of which can be found here.
WP29 is an official independent advisory body made up of the national EU Member State data protection authorities/regulators (“the DPAs”) and deals with issues concerning the application of EU Data Protection Directive 95/46.
Final agreement and publication of the EU GDPR is expected in the coming months and it is expected that it will come fully into effect in Spring 2018. In the meantime, in anticipation of this WP29 has set out its prioritised work plan for 2016 for the transition of the EU GDPR, in particular as regards the body that will replace WP29, the “European Data Protection Board” (“the EDPB”).
The action plan has four priorities as follows:
- Setting up the EDPB structure in terms of how it will be administered – emphasis will be given to developing the IT system for the “One-Stop-Shop” system;
- Preparing the “One-Stop-Shop” and “Consistency Mechanism” – how the “lead” DPA will be designated;
- Issuing guidance for “Data Controllers” and “Data Processors” – the specific areas will be: the new “Right to Data Portability”; the notion of “High Risk” under the “Data Protection Impact Assessments”; “Certification”; and, “Data Protection Officers”;
- Communication about the EDPB – the aim is to make the EDPB visible and identifiable as a key regulatory player.
For more details about some of these features of the GDPR refer to our FAQs and our glossary.
WP29 stresses that under the regime of the GDPR the DPAs will have a “higher role” under a “governance model” built on the DPAs and enhanced cooperation between the DPAs and the EDPB to ensure consistency. In this regard it should be remembered that the form of a Regulation was chosen for the new EU data protection rules to try to ensure a consistent approach to data protection enforcement across the 28 EU Member States. The recent less than uniform responses of the DPAs to the European Court’s 2015 ruling in the Schrems Safe Harbor case demonstrate the pressing need for such consistency.
All businesses should be preparing now for the implementation of the GDPR – for more details please see the “What Should I Do Now?” section of our FAQs.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com