There’s plenty going on behind the scenes to help ensure the GDPR lands as smoothly as possible. Companies are scrambling (some in panic) to fulfil the requirements, while privacy professionals and data protection authorities have never been busier. While you might think December ought to be a slow month, this wasn’t the case in 2017. See for yourself!
Norwegian DPA to create a DPO registry
In a bid to ease businesses into GDPR adoption and likely prevent issues in the future, Datatilsynet, the Norwegian Data Protection Authority, devised a very interesting plan. The Authority will hire Tieto Oyj to develop a registry of data protection officers (DPOs) in Norway.
This should raise awareness and allow companies to quickly and easily hire a DPO that will fulfil their need. Plenty of companies will have to hire one and it is projected that the number of DPOs will increase significantly. Unlike the present practice, where the Authority was responsible for registering DPOs, companies will now choose one themselves and then register them on their own.
Since Norway is a member of the EEA, but not the EU, the GDPR does not automatically become law in Norway, but with a few changes it has been implemented in the Personal Data Act which also enters into force in May 2018. Therefore, Norway is also largely a part of the GDPR landscape and in this case can serve as a valuable role model.
Bulgarian DPA adopts a 10-step action plan
A few thousand kilometres southeast DPAs also aren’t twiddling their thumbs. The Bulgarian DPA, The Commission for Personal Data Protection, came out with an action plan that consists of 10 steps they plan to take in order to prepare the data controllers for the GDPR.
The plan is straightforward and includes several important guidelines. Companies should ensure that all employees are aware of good practices. They should conduct internal analyses, and perform a data protection impact assessment. Companies that process the data of more than 10 thousand individuals are required by the Commission to appoint a DPO.
The Bulgarian DPA stresses the importance of adopting a good action plan that encompasses both the organisational and technical measures necessary for implementation. Records should be kept updated, and current data reviewed to determine if it complies with the GDPR processing requirements.
Companies are advised to improve their transparency efforts and inform their users on how their data is being used, and to always try and ensure the users’ rights are respected. The requirement to contact the Commission within 72 in case there is a data breach is also stressed.
Overall, it is a very sensible checklist that will serve as a good baseline for businesses to begin their GDPR compliance process.
Israel’s ILITA undergoes a name change
The Israeli DPA has recently renamed itself as part of its new shift in strategy. The Israeli DPA changed its name from Israeli Law, Information and Technology Authority (ILITA), and it is now known as the Privacy Protection Authority.
The name change is linked with the new Privacy Protection Regulations which enter into force on 8 May 2018 and represents a change in the institution’s core activities, which have shifted primarily to privacy and related issues.
Incidentally, Israel is one of the few countries that the European Commission considers ‘adequate’ with regards to data protection and allows for nearly unhindered cross-border data transfers.
According to the IAPP, Alon Bachar, head of the Israeli DPA, who explained that the name change was made “to advance and improve our capabilities, in coping with future challenges to data protection, and in order to strengthen and enable us to fulfil our tasks, in an environment that is exposed to far-reaching and ongoing developments in the digital space”.
In the background, the agency has reorganised its departments and set new goals for the future, all in a bid to enhance public awareness and better adapt to new changes in privacy-related technologies.
Dutch Government proposes a GDPR Implementation Bill
The Dutch Council of State have presented the GDPR Implementation Bill to the Parliament on 13 December 2017. The bill was long expected and in most cases it reaffirms and complements the rules laid out by the GDPR.
The bill will apply to all processors and controllers in the Netherlands, or those controllers who process Dutch-originating data. The bill does not amend nor supersede any of the existing Dutch laws.
The age for consent is reaffirmed; data of persons under 16 years is considered children’s data. All rights afforded to such data are also afforded to mentally ill people and to several other vulnerable groups.
Interestingly, the Dutch DPA has the right to search private homes and enforce the GDPR, but its powers to issue fines are limited, as fines aren’t final for as long as the company is disputing them. Most likely, the DPA will opt for administrative orders, which are conditional fines – a fine will be issued unless the company improves their practices. The bill affirms criminal data as sensitive, which is somewhat of an omission in the GDPR.
The bill explains the rights of some data controllers to processing of special data under certain circumstances, which are based on public interest. Biometric data is also included in this provision, so that this data can be meaningfully processed. Otherwise, employers wouldn’t have the right to process such data and wouldn’t adopt biometric systems (such as for authentication etc.).
DPOs are bound by the right to secrecy, but it is unclear if this applies both to courts and DPAs. Financial companies are still exempt from reporting breaches to data subjects, the IAPP reports.
All in all, it will be interesting to see if other countries will follow suit and implement their own separate policies and regulations. It could in some ways be a step back since we could revert to a rather fragmented situation all over again, which is precisely the opposite of what the GDPR aimed to accomplish.