On 11 December 2018, Regulation (EU) 2018/1725 aka "GDPR for EUIs" came into force, replacing the older Regulation (EC) 45/2001. Therefore, all EU institutions, agencies and bodies are obliged to comply, in respect to the personal data processing activites they perform.
SpearIT, having continuous contractual involvement in EUIs compliance, has analyzed the regulation and highlights the novelties introduced by this regulation, as well as suggests some key activities to better faciliate compliance with this regulation.
Regulation (EU) 2018/1725: new concepts and activities
Principle of Accountability
The new regulation introduces a culture of accountability, olbiging the controller to demonstrate and prove compliance with the principles of personal data processing such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity and confidentiality, and shall be responsible for by implementing appropriate technical and organisational controls.
The risk mindset is emphasized throughout this Regulation, meaning that risks caused by the processing operations shall be considered. Besides, a more risk-driven approach in EU Regulations is already observed, showing a wider transformation of the culture of cybersecurity management and information governance within EU. The data controller shall take into account the nature, scope, context and purpose of the processing and most importantly, the potential risks to the rights of natural persons whose data are being processed.
Register of Processing Activities
EUIs must ensure an adequate documentation of their personal data processing activities. Furthermore, the records of processing activities should be kept in a central register, which should be made publicly accessible. The European Data Protection Supervisor (EDPS) which is is the Data Protection Authority for the EUIs, has published a guidance document covering, among others, the topic of processing activities records.
Data Breach Notification
The obligation to notify personal data breaches to the EDPS is also introduced. As per art. 34, an EUI shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the EDPS, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. EDPS has also published a guidelines document on personal data breach notifications for EUIs
Processing Activities Registry
The roadmap to compliance starts with the creation and maintenance OF records of data processing activities. EDPS recommends that EUIs maintain a central register of records and assign responsibility to the agency's DPO.
EDPS has published a set of guidance documents for controllers and DPOs in the EUIs which, amnong other topics, describe how to generate records for their processing operations.
Compliance & Risk Assessments
These activites refer to assessing the legal posture of the processing and its compliance with the data protection principles. As a best practice, EUIs can perform the compliance and risk assessments while building the data processing records registry, since it allows to have an initial view on the legal basis of the processing and other protection principles. It also acts as an initial indicator of whether to perform a Data Privacy Impact Assessment (DPIA) for the types of personal data processed, according to the data processing activities identified.
Privacy by Design
Privacy-by-Design along with Privacy-by-Default are considered two critical principles which should be assessed as to whether they are satisfied, once the identification and registration of data processing activities is completed. According to EDPS, Privacy-by-Design is the principle that controllers have to consider on data protection, during the development and deployment of systems, so that the resulting products/services offered are protecting privacy adequateley.
Following the GDPR implemetation in the private sector, privacy statements are considered mandatory for all EUIs. Privacy statements should be available for all natural persons whose personal data is processed by EUIs. An non-existent or outdated privacy statements poses a compliance risk for an EUI.
Data processing activities which are considered to likely pose a high risk to the rights and freedoms of data subjects are subject to performing a DPIA. In its essence, this clause mandates EUIs to perform a DPIA when:
- the processing is listed on an EDPS established public list of processing operations, or
- the processing is likely to result in high risks according to EUIs' threshold assessment
EDPS has published the Accountability on the Ground Toolkit which contains methodology and guidance on DPIAs: