Data Protection: Preparation for the GDPR - Guidance published by the Finnish DPA and Action Plan from WP29

Author: Erkko Korhonen

On 24 January 2017, the Office of the Data Protection Ombudsman published guidance (in Finnish) for companies on how to prepare for the upcoming EU General Data Protection Regulation (“GDPR”).  Although the guidance serves as a high-level introduction to the GDPR, it unfortunately does not go into specific details of the GDPR. Thus, it does not provide much help to those companies struggling with questions on interpretation the GDPR beyond its mere wording. However, on a positive note, companies in the EU may also utilise guidance and other GDPR-related materials issued and provided by other European DPAs, private entities, and communities. The WP29 has already published its views on certain aspects of the GDRP, namely regarding data protection officers, data portability, and determination of lead-DPA (please see our Blog Post from December 2016). These guidelines are still subject to further comment and update, if required.

On 16 January 2017, the WP29 published its updated action plan for 2017 as part of its global Implementation Strategy of the GDPR by 2018. The WP29 has committed to finalizing its work on certain topics undertaken already in 2016, including guidelines on certification and processing likely to result in (1) high risk situations and Data Protection Impact Assessments (DPIA), (2) administrative fines, and (3) setting up the structure of the European Data Protection Board (EDPB). The WP29 also introduced new topics for which guidelines will be considered and introduced in 2017. This includes guidelines on:

• consent and profiling,

• transparency,

• data transfers to third countries, and

• data breach notifications.

In addition, the Information Commissioner’s Office (ICO) in the UK has launched its updated GDPR Website providing highlights regarding the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework. In our opinion, this site seems to contain very useful information provided in a structured manner.

The requirement for risks assessments under the GDPR – the so-called “risk-based approach” – is probably one of the most difficult parts to grasp in the GDPR. We presume that many of you share this view. Fortunately, the Centre for Information Policy Leadership (CIPL), a global privacy and security think tank, has published a very comprehensive (44 pages) Guidance Paper on risk assessments and Data Protection Impact Assessments under the GDPR. Certainly good bedtime reading for any privacy professional!

As predicted, we are seeing more and more GDPR-related guidance published every day. We hope that the high-quality opinions on important topics continue. As always, we, in Hannes Snellman’s IP & TMT practice, are always there to help map your path to GDPR compliance.