Out-Law News | 16 Feb 2016 | 5:17 pm | 2 min. read
The Article 29 Working Party said (3-page / 181KB PDF) that it had identified four areas of the new Regulation in which to prioritise new guidance.
Guidelines on data portability, the notion of high risk data processing and data protection impact assessments, certification and data protection officers will "help and accompany controllers and processors to get prepared for the entry into force" of the new Regulation, it said.
The GDPR has still to be finalised but could be formally approved by EU law makers this spring. It would then be another two years before the new Regulation would come into force. Organisations will face a number of new obligations under the new regime.
Data controllers will no longer be required to pre-notify data protection authorities (DPAs) of their personal data processing activities, but they, along with data processors, will need to maintain a record of processing activities they are responsible for or carry out and make it available to DPAs when requested, although there are some exceptions for SMEs.
In addition, organisations will be required to carry out data protection impact assessments where their plans to process personal data are "likely to result in a high risk for the rights and freedoms of individuals". This obligation will arise particularly where companies are looking to process personal data through the use of new technologies and where companies plan to engage in people profiling.
Data controllers will be required to consult with DPAs "prior to the processing of personal data where a data protection impact assessment … indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk". If DPAs believe the planned processing would not comply with the Regulation it could issue advice to data controllers on how to proceed or use one of the powers given to it under the Regulation, such as requiring companies to open themselves up for a data protection audit.
Some companies and most public bodies will also be required to appoint a data protection officer (DPO) under the new framework. For businesses that obligation arises where their "core activities" consist of processing operations that "by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale"; or if it involves processing sensitive data on a large scale.
The Regulation will allow group companies and different public bodies to share the same DPO and for DPOs to perform their duties in addition to other functions. DPOs will be required to have suitable "professional qualities" and knowledge on data protection matters. Their duties will include serving as a point of contact for organisations to DPAs and data subjects, advising their employers on personal data processing and monitoring their compliance with the Regulation.
The GDPR will also set data portability obligations that require businesses to ensure that they can hand over the personal data they possess on a consumer in a usable transferable format, to facilitate consumer switching between rival services.
Other changes the GDPR will bring includes a new data breach notification framework, new provisions on liability, a revamped system of compliance monitoring and enforcement and a stiffer, and more complex, sanctions regime.