The Article 29 Working Party (Working Party) has released a summary of the topics discussed at its summer “Fablab” workshop on the incoming General Data Protection Regulation (GDPR).

This summer, the Working Party, an advisory body set up by the EU Directive 95/46/EC and composed of representatives of the national data protection authorities, held a “Fablab” workshop in order to prepare for the timely and proper implementation of the GDPR which will come into force on 25 May 2018 (see our previous blog post here).

The Working Party has now published a summary of the topics covered in the workshop. The summary can be accessed here.

With more than 90 participants present, the workshop focussed on the issues that had been prioritised in the Action Plan of the Working Party. The workshop was intended to inform the decision making around the development of best practices and guidelines, in particular regarding;

• Data Protection Officers (DPO): The participants discussed requirements for the appointment of a DPO under the GDPR. One issue which was discussed was the challenge for small and medium businesses (SMEs) to fund a DPO and the possibility of providing SMEs with sectorial associations to support their compliance to reduce costs of appointing a DPO.
• Data Portability: Participants agreed on the potential benefits of data portability to data subjects but concerns were raised as to the range of data that could be covered and the underlying costs of providing data subjects with their personal data in an electronic format.
• Data Protection Impact Assessment (Impact Assessment): There was a call to action for data protection authorities to clarify the circumstances under which an Impact Assessment is required under the GDPR with special consideration given to SMEs which are likely to have more limited resources. It was highlighted that organisations could benefit from such a list of circumstances being harmonised across Member States.
• Certification: The certification scheme under the GDPR allows for controllers and processors to be awarded certification, seals and marks to demonstrate compliance with the GDPR. Participants commented that a European umbrella certification scheme could be particularly beneficial and help to encourage trust in the scheme rather than a number of different local certification mechanisms.

WAB Comment

The Working Party is taking practical steps to reduce the uncertainty surrounding the imposition of the GDPR for organisations processing personal data. By identifying key concerns relating to the GDPR and discussing them with stakeholders, the Working Party aims to produce useful guidelines on some of the more complex aspect of the GDPR. The focus on the requirements and constraints facing SMEs is particularly welcome, given the limited resources available to smaller organisations.