Last week, in a highly anticipated presser, the Article 29 Working Party shared its preliminary assessment of the proposed EU-U.S. Privacy Shield agreement. Lost amidst this anticipation, however, was an equally significant announcement from the regulatory collective’s head, Isabelle Falque-Pierrotin, regarding the group’s action plan for the implementation of the General Data Protection Regulation.
While the mandatory DPO doesn't come into force until 2019 at the earliest, and mechanisms like the European Data Protection Board and the one-stop shop won't be operational until 2018, look for guidance to be released on what those efforts will look like, along with guidance for controllers and processors on high-risk assessments and the operationalizing of data portability, before the end of the year.
“We need to be ready within two years of when the framework comes into practice,” said Falque-Pierrotin during last week’s presser. “So we have prepared an action plan defining our priorities for this year in order to meet that schedule.”
On Thursday, the WP29 officially released its statement on the 2016 action plan for the implementation of the General Data Protection Regulation, laying out its four priorities during this major regulatory shift.
“What is important,” Falque-Pierrotin emphasized last week, “is that the new framework is setting up a new governance model, and we want to anticipate that new model as soon as possible.” Top among this new model, for the WP29, at least, is the new "higher role" granted to data protection authorities.
In Thursday’s release, the WP29 states the new governance model “is a distributed governance model built on three pillars: national data protection authorities, enhanced cooperation between authorities and EDPB level for consistency.”
First among the four action-plan items is setting up the EDPB administration. This will include the establishment of IT and human resources systems as well as service-level agreements and a budget. “A key development,” the WP29 notes, “will be the development of the IT systems for the EDPB in the context of the one-stop shop.”
Similarly, the WP29 also aims to prepare the one-stop shop and consistency mechanism. This preparation will cover significant factors, including the designation of a lead DPA, cooperation among DPAs, and a consistency mechanism from the EDPB. During last week’s presser, Falque-Pierrotin said, “The one-stop shop is a key feature of the new framework” and that the WP29 “needs to come to a precise conclusion on the designation of a lead authority.” She added, “We will work to finalize these in terms of law, rules, and how we want the one-stop shop to work.”
Additionally, the WP29 aims to issue guidance to controllers and processors. “We are setting our priorities for a new data portability right,” Falque-Pierrotin said, noting that it is an important subject in need of guidelines. She also highlighted the need for privacy impact assessments for risk processing – something the WP29 refers to as the Data Protection Impact Assessment – certification, and the establishment of data protection officers (DPOs).
“We believe DPOs will be a key element in processing,” Falque-Pierrotin said, “so we need to provide controllers with clear guidelines for setting up DPOs.”
Finally, the WP29 said communication around the EDPB and GDPR are essential for making “this new legal body of the EU already visible and identifiable as a key player" the legitimacy of which stems from the DPA. Key among this plan is the creation of an online communication tool, improved relationships and communication among EU institutions and supervisory groups, and to take part in relevant events around the world to promote this new governance model.
“It’s important for us to communicate quickly on the EDPB,” Falque-Pierrotin said, adding, “We believe it is important to show the orientation and existence of the new EDPB.”
Falque-Pierrotin also said the WP29 is interested in creating a dialogue with multi-stakeholders concerned with the GDPR’s implementation. “We want to launch a permanent, regular consultation process,” she said, “with businesses and civil society and to have regular exchanges” to see if the action plan is meeting the expectations of the relevant stakeholders.
Though many are focused on the fate of the Privacy Shield, the GDPR is not far off. Clearly, the WP29 is ready to get started on its implementation.