Data Protection Day 2019

In the almost eight months since it became applicable on 25 May 2018, organisations and their advisers have been coming to terms with the General Data Protection Regulation (“GDPR”) and, in particular, the increased data protection obligations and compliance risks it places on those organisations.  Recently, news has focused on enforcement actions for non-compliance with the GDPR (most notably the fine imposed on Google by CNIL, the French data protection authority, on 21 January 2019 (which Google has since confirmed it intends to appeal)). 

A key concern for all organisations is how best to ensure that they are not vulnerable to the imposition of such fines. One way to mitigate this risk is to monitor emerging jurisprudence and guidance regarding the interpretation of the GDPR and its implementing legislation. 

As such, on the occasion of Global Data Protection and Privacy Day on 28 January 2019 it seems fitting to take stock of the latest developments in respect of guidance issued under, or in connection with, the GDPR.  Both the European Data Protection Board (“EDPB”) and the Irish Data Protection Commission (“DPC”) (and similar data protection authorities in other EU Member States) have issued such guidance.

What guidance has been issued since May 2018?

Since 25 May 2018 the DPC, in addition to providing more general GDPR resources on its website, has published guidance on a range of topics, including:

  • Limiting data subject rights and the application of Article 23 of the GDPR;
  • Anonymisation and pseudonymisation;
  • Qualifications for Data Protection Officers;
  • Data processing operations that require a data protection impact assessment (“DPIA”);
  • Data security;
  • Data controller to data processor contracts;
  • Elected representatives and the GDPR;
  • Connected toys;
  • Securing cloud-based environments;
  • The use of "Dash Cams";
  • Community based CCTV Schemes; and
  • Personal data transfers to and from the UK in the event of a ‘no deal’ Brexit.

The EDPB, since its inception on 25 May 2018, has formally endorsed certain documents and guidance that were previously published by its predecessor, the Article 29 Data Protection Working Party.  As part of its role under the GDPR, the EDPB has issued the following new guidance:

  • EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR;
  • EDPB Guidelines 2/2018 on derogations of Article 49 under the GDPR;
  • EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3); 1 and
  • EDPB Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the GDPR. 2

In addition, the EDPB has adopted opinions on the DPIA lists published by EU data protection regulators as well as providing other opinions (e.g. to the EU Commission).

With regard to other Article 29 Working Party opinions and advice, though there has not been formal endorsement in relation to every piece of its previous work, subsequent guidelines issued by the EDPB do occasionally refer to prior Article 29 Working Party documents (even where those other documents have not formally or expressly been adopted by the EDPB).

Looking ahead, the EDPB’s published work agenda indicates that it is working on further guidance (e.g. on Codes of Conduct under the GDPR) and we expect further guidance will also be forthcoming in 2019 from the DPC.  For example, the DPC is currently running a public consultation on issues relating to the processing of children’s personal data and the rights of children as data subjects under the GDPR. 3

Next steps

Organisations should continue to have regard to the existing guidance published by the EDPB, the DPC and any other relevant data protection authorities, where applicable, to their existing and future processing of personal data and should also continue to monitor further developments in this area.

  1. These guidelines were subject to public consultation which closed on 18 January 2019. No final version has yet been published EDPB.
  2. The Annex is the subject of public consultation. The period for public consultation will close on 1 February 2019.
  3. The period for public consultation will close on 1 March 2019.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.