European guidance on data protection officers and data portability now available
03 Feb 2017
The Article 29 Working Party will soon become the European Data Protection Board, under the GDPR. They are the main group issuing guidance on the Regulation and which other national data protection authorities need to follow.
Their first tranche of guidance covers data portability, data protection officers (DPO) and lead supervisory authority. However, the DMA has offered feedback to the Article 29 Working Party on their proposed guidance.
Data protection officers are fundamental to the principle of accountability that cuts through the Regulation. DPO’s can drive a culture change within an organisation and have the expert knowledge of data protection necessary to comply with the GDPR.
The guidance confirms that DPO’s must be given sufficient autonomy by an organisation and adequate resources to carry out their role effectively. DPO’s need to be able to raise red flags within an organisation free from interference or pressure to act otherwise.
The GDPR requires organisations to employ a DPO if they process personal data on a ‘large scale’. This is one of the requirements. However, ‘large scale’ is not specified in the text and so the guidance gives some examples. They include: processing customer data in the regular course of business, processing personal data for behavioural advertising or processing ‘real time geo-location of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services’, for example.
The other point of clarification was the requirement to hire a DPO if an organisation carries out ‘regular and systemic monitoring’. The guidance says ‘regular’ means constantly or recurring, ongoing or occurring at fixed intervals. ‘Systemic’ means occurring according to a system, taking place as a plan for data collection or carried out as part of strategy.
Most direct marketing activity requires organisations to collect personal data in the course of their business or handle it some way, if they are a supplier. This is a regular part of business and a necessary part of one-to-one marketing. Most direct marketing organisations will need to hire a DPO.
In our feedback the DMA raised the point that it will probably be the case that much of the data-driven marketing sector will fall within that definition. However, each organisation must be judged independently as in some instances the definition may not apply. The legal requirement for a data protection officer should not be defined by a general industry practice but must be the result of a specific and justified analysis of a particular case.
Moreover, the UK is woefully short of the correct skills to recruit the number of DPO’s required. The International Association of Privacy Professionals estimates that there’ll be a requirement for 28,000 data protection officers in Europe and the United States as a result of the GDPR. It’s a great time for those with data protection skills and knowledge.
You can view the data protection officer guidance here.
Under the GDPR individuals can request personal data that they have given to an organisation and then pass that to another organisation or keep it for themselves. Everyone recognised the potential benefits for consumers in the energy sector, who would be able to use their personal data to get a better deal from a competitor energy supplier.
On the right of an individual to receive their personal data, the guidance uses the example of a music streaming service. A customer of Soundcloud may want to find out what songs they’ve listened to the most and request this data.
Then there is the right to move personal data to another organisation and the Article 29 Working Party claim that the motivation for this right is to foster new innovative business models by giving individuals greater control over their data. However, the DMA disagrees that this is the main purpose of the right to data portability, though it is a clear benefit arising from it. The right should be interpreted purely in the context of GDPR and not its potential benefits.
The personal data that has to be provided is data given to an organisation by an individual. This could include personal data such as, preferences, names or address. But, also personal concerning an individual, for example, purchasing history recorded by a loyalty card for a clothes retailer.
You can view the data portability guidance here.
The Article 29 Working Party guidance is most welcome as the ICO’s promised guidance on consent and profiling was delayed again. Guidance on consent can now be expected in ‘early 2017’ and profiling guidance in March 2017.
The DMA will post further detail when the Article 29 Working Party respond to the feedback from industry. They are accepting comments until 15 February 2017. The DMA did not offer feedback regarding the lead supervisory authority guidance.
The guidance is available here.
Please, submit any comments or feedback you may have to DMA external affairs manager, Zach.Thornton@dma.org.uk