Businesses urged to help shape guidance on new EU data protection regulation

The French data protection authority, the Commission nationale de l'informatique et des libertés (CNIL), has asked companies to share "specific questions, …potential difficulties of interpretation, [and] … examples of good practice" on four specific areas of the Regulation, from the role of data protection officers, data portability, data protection impact assessments and certification schemes.

CNIL said it intends to feed the findings from its consultation (in French) into related work being undertaken by the Article 29 Working Party, a committee made up of representatives of the national data protection authorities from across the EU.

Earlier this year the Working Party said it was its priority to produce guidance on data portability, the notion of high risk data processing and data protection impact assessments, certification and data protection officers to expand on what organisations' obligations are in relation to each of those areas under the GDPR, which will apply from 25 May 2018.

At the time the Working Party said the guidance would "help and accompany controllers and processors to get prepared for the entry into force" of the new Regulation.

CNIL's consultation is open until 15 July. It said it plans to liaise with stakeholders on "other themes" of the GDPR in future.

"CNIL has left it open to businesses and other stakeholders to highlight GDPR provisions separate from the four main themes it has asked for feedback on that would benefit from guidance," said data protection law expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com. "This is an opportunity for companies to highlight the particular areas of the Regulation they are unclear about. We are aware of companies that would like to see further explanation of how the 'one stop shop' mechanism of oversight and enforcement will operate, for example."

"Comments provided to CNIL as part of its consultation can be viewed on the consultation pages online. Some of the comments provided serve to highlight the importance of new guidance in clarifying businesses' obligations. For example, commenters have disagreed on whether businesses would need to carry out a data protection impact assessment before building employee databases. It shows that, without guidance, there is the potential for very different interpretations of the new Regulation to be made."

Under the GDPR, organisations will be under greater obligation to undertake data protection impact assessments and many will need to appoint a dedicated data protection officer. 

The Regulation also requires data controllers to make the personal data they possess available to consumers in "a structured, commonly used and machine-readable format" so that those consumers can share that data with rival companies "without hindrance" and to provide that data direct to other businesses at the request of consumers where it is "technically feasible".

Those data portability obligations only apply to data controllers that process personal data based on customer consent or to perform a contract involving the data subject and if the processing takes place by "automated means".

The Regulation also encourages the creation of data protection certification mechanisms and data protection seals and marks to allow businesses that adhere to the requirements for certification to promote their compliance with the GDPR.