Back on the 16th December 2016, the European Article 29 Working Party released three new sets of guidelines which detailed their interpretation of the main implementation issues which relate to the EU General Data Protection Regulation – GDPR.
The guidelines cover the following main areas:
The right to data portability
The right to data portability allows individuals within the EU to obtain their personal information from organisations and to reuse it for their own purposes across any services.
The guidelines adopt a broad interpretation of the right to data portability, the right applies not only to active personal data which has been knowingly provided by the individual, such as an online submission form. But it also relates to personal data that has been generated because of user activity that has been used with:
- Search history
- Traffic data
- Smart meters
Additionally, as part of the guidelines, the working party also recommend that organisations put in place appropriate procedures for allowing individuals to make requests for their data and to be able to receive all information relating to them.
Where a request for data portability is made, an organisation must provide the personal data to the individual “without undue delay” and “within one month of receipt of the request”. This data must be in a presented in a format that allows the individual to reuse the information as well as including as much metadata as possible.
Data Protection Officers (DPOs)
As part of being compliant with the GDPR, the organisation is required to assign a Data Protection Officer (DPO) in the following cases:
- The processing is carried out by a public authority or body
- The core activities of the organisation or the data processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
- The core activities of the organisation or the data processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses
In many cases, organisations will not be required to appoint a DPO, however the working party recommends that, unless it is obvious, the organisation should carry out and document an internal analysis to see whether a DPO is required. If you, as an organisation are unsure, it is safer to implement a DPO as standard.
Identifying a lead supervisory authority
The guidelines clarify who is the lead supervisory authority, where an organisation carries out cross-border processing of personal data. Identifying the lead supervisory authority will depend upon the country in which the main part of the organisation is based.
Organisations which do not have any premises within the EU, must deal with local supervisory authorities in every member state they are active in through their local representative.