Greetings from Brussels!
It’s that time of year: Here at the IAPP, we are delighted to launch our annual IAPP-EY Privacy Governance Survey for your participation. For all you privacy and data protection pros, 2017 is a pivotal year in terms of GDPR preparation. Consequently, I think this year's survey findings will be even more important as an indicator of the current state of play both regionally and globally for privacy. For those of you who read last year's report (and, indeed, more than 20,000 of you have downloaded it), you know its findings are an important benchmark for privacy insights. Areas such as GDPR, international data transfers, governance and training are all covered. Last year, we had in excess of 600 companies participate in the survey. Today, I am making a personal appeal to all of you: Please take the time to make this year's participation even better. The resulting report has been truly instrumental in shaping our privacy opinions and actions, but, moreover, it has been incredibly useful in determining the state of the privacy profession and has served as a guide for the IAPP to help enhance our offering to the membership and the privacy market as a whole. Without your support, the report would not be possible, and with that, I thank you in advance for your continued support and participation.
In other significant news this week, Germany moved one step closer to making GDPR a reality in becoming the first EU member state to revise its national privacy law ahead of May 2018. The new German Federal Data Protection Act ("Bundesdatenschutzgesetz") passed the final stage of its legislative process: The so-named German Data Protection Amendment Act has been countersigned by the German Federal President and published in the Federal Law Gazette. The GDPAA will enter into force on 25 May 2018 and will substantially change the current German Federal Data Protection Act in order to align it to the GDPR, to make use of its derogations, and to implement the Law Enforcement Directive. In addition, Germany also took advantage of the process to set out its own rules for handling employee, health and other sensitive data.
Interestingly, from the DPO requirement perspective, the new law is distinct from the GDPR when it comes to the appointment of DPOs, making use of the possibility to derogate from the GDPR. Specifically, the act embraces a threshold for the appointment of data protection officers that is "much lower" than the EU law by requiring all businesses that are subject to a privacy risk assessment or conduct commercial data processing for the purpose of transfer, anonymized transfer or market opinion research to staff the position. Currently, in Germany, the requirement comes generally into play if a minimum of 10 employees is deployed to carry out the automatic processing of personal data on an ongoing basis. Effectively, the nature of the processing now supersedes this employee threshold ruling in the new act. Effectively and in practice, this might change very little for German companies as their DPO requirement is a robust one; what is more likely to change is the nature of the role itself within organizations.
While the bulk of the German law goes into effect in May, one provision does take effect immediately: namely, the right of German data protection authorities to challenge the validity of decisions of the European Commission in court, as highlighted by Bird & Bird, who added that they expect "further adjustments" to the law over the next couple years.
With the federal law generally catered for, now the data protection laws of the German Federal States — the Bundesländer — and sector-specific data protection laws must also be adapted. Still, some fairly significant legislative work needs to be done. It remains to be seen how challenging that exercise might be; nonetheless, the Germans have the ball rolling.
If you want to comment on this post, you need to login.