Position paper gives recommendations from practicioner’s point of view
On the occasion of the first evaluation of the General Data Protection Regulation (GDPR) by the EU Commission, the European Federation of Data Protection Officers (EFDPO) calls for a relief for small and medium-sized enterprises. In a position paper, the umbrella association suggest a cutback in bureaucracy by involving the Data Protection Officer (DPO) more intensely. The bureaucracy created by the GDPR does not result from the designation of the DPO, but from the comprehensive organizational and documentation obligations of the GDPR, which exist independently of the DPO and are subject to a fine. The involvement of the DPO therefore leads to a relief for small and medium-sized businesses.
“Even the most vocal critics at the beginning of the GDPR have now come to realize that the regulation was the right and future-oriented step for data protection in the EU,” says Thomas Spaeing, President of the EFDPO. “Despite all the advantages, however, we also see potential for optimization in some points and would welcome a discussion about this.”
In order to provide true support for small and medium-sized enterprises (SMEs), the EFDPO supports, in its position paper, an obligation for controllers/processors with a DPO to report all incidents or possible incidents of a personal data breach directly to the DPO. In a second step, only those data breaches that pose a high risk to the data subjects will be directly forwarded to the supervisory authorities. The DPO also keeps a register of all incidents and monitors the corrective measures.
As a further measure, the EFDPO recommends that DPOs should play a more essential role in drafting and observing a Data Protection Impact Assessment and the Risk Analysis and be responsible for the records of processing activities.
In addition to disentanglement and harmonization within the GDPR, particularly regarding documentation obligations, the position paper advocates mitigated sanctions if companies have actively involved a DPO in the fulfillment of these obligations.
Lastly, the EFDPO sees room for improvement in the information obligation in order to achieve better general comprehensibility and transparency for the data subjects. Further information is available in the EFDPO position paper, which can be downloaded here.