Deloitte’s view on the implementation of Regulation (EU) 2018/1725
‘GDPR for European Union Institutions’
On 23 May 2018, only two days before the entry into force of all General Data Protection Regulation (GDPR) provisions, representatives from the European Parliament and the Council also agreed on a Regulation on the processing of personal data by EU Institutions, agencies and bodies (EUIs) . On 11 December 2018, Regulation (EU) 2018/1725 also referred to as the ‘GDPR for EUIs’, came into force and therefore applies to all EU institutions and bodies in their processing of personal data and is practically replacing Regulation (EC) 45/2001.
The Regulation is to be considered the ‘public sector counterpart’ of the GDPR, with the latter applying to all companies and organisations that process personal data within the EU and that operate in the private sector. Key roles like data controller and processor are also defined in the Regulation, similar with the GDPR case. The objective of the new rules is to offer EU citizens the same rights as they enjoy under the GDPR when interacting with EUIs.
- Novelties introduced by Regulation (EU) 2018/1725
- Key suggestions for EU Institutions
- Download this article in PDF
- Related topics
Novelties introduced by Regulation (EU) 2018/1725
The reinforced principle of accountability and demonstrating compliance
Just as the GDPR for the private sector, Regulation (EU) 2018/1725 leaves little room for interpretation: its content and applicability come down to creating a culture of accountability, as the controller shall be able to demonstrate compliance with the Regulation and shall be responsible for it. To this end, the controller shall implement appropriate technical and organisational measures.
Records of processing activities
As for the GDPR, the European Data Protection Supervisor (EDPS) states that, in light of the principle of accountability, the focus should be put not only on complying with the new rules, but also on being able to demonstrate compliance’.
EUIs must ensure an adequate documentation of their personal data processing activities. Furthermore, the records of processing activities should be kept in a central register, which should be made publicly accessible. This obligation, laid down in article 31 of the Regulation, is the successor of the prior notification mechanism to the Data Protection Officer (DPO) ex article 25 of Regulation (EC) 45/2001. EUIs may of course re-use all the relevant information from this prior notification mechanism.
The risk mindset
Regulation (EU) 2018/1725 emphasises the risk mindset, a key change compared to Regulation (EC) 45/2001. Indeed, it affirms the necessity to always keep in mind what processing does to data subjects, i.e. how that particular processing affects them. The controller shall take into account the nature, scope, context and purpose of the processing, as well as the risks the processing activities create to the rights and freedoms of natural persons.
Data breaches and the obligation to notify the EDPS
Regulation (EU) 2018/1725 brings the new obligation to notify personal data breaches to the EDPS. Article 34 of the Regulation defines that a EUI shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the EDPS, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
A personal data breach should be interpreted broadly as ‘every breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
Key suggestions for EU Institutions
Records of processing activities: the first indispensable step
The starting point and the key success factor for compliance is the creation and maintenance of adequate records of processing activities. These are the foundations of data protection documentation and one of the first elements the EDPS will assess in order to evaluate EUIs’ compliance. The EDPS strongly recommends that EUIs keep a central register of records that is to be kept by the DPO who is the most appropriate person to consult when drawing up the registers.
The EDPS also provides a helping hand by issuing guidance on documenting processing operations for EUIs.
Performance of compliance and risk checks
While drawing up the records of processing activities, the EUIs also have the opportunity to perform a substantive compliance and risk check. This comes down to (1) assessing the legality of the processing and (2) assessing compliance with the data protection principles. The most time- and cost-efficient way to perform these checks is by including them in the record-generation phase, as this implies cash on the barrel and reducing the chance of surprises afterwards. All the more so since this could trigger a first indication for the need to perform a Data Protection Impact Assessment (DPIA). The compliance check and the risk screening should enable EUIs to gain insights on the legal basis and the necessity of the processing, on the principles of purpose limitation, data minimization, accuracy, storage limitation, transparency and on the data subject rights. As this list already indicates, it is by not cutting corners that EUIs will be able to reap the benefits from those efforts at every later stage in the compliance story.
Embrace privacy by design and by default
Once the processing activities are mapped and the EUIs have a clear view on those activities, another step is to assess the extent to which privacy by design and by default principles have already been taken into account in the (lifecycle of the) processing activities. To fresh up memories and in another attempt to demystify the concepts, the EDPS clearly defines privacy by design as ‘the principle that controllers have to consider data protection both during the development and deployment’ and privacy by default as ‘the principle that the default settings of products and services should be privacy-protective’.
Update privacy statements
As the private sector has extensively done (in the GDPR context), creating and updating privacy statements should be a mandatory action for all EUIs. From a positive perspective, updating privacy statements is an excellent way to (re)assess significant aspects of personal data processing, as the Regulation prescribes the controller to provide transparent information, communication and modalities for the exercise of the rights of data subjects. Adhering to those provisions, EUIs take an important step towards compliance, and importantly, towards demonstrating that compliance.
When a privacy statement is not present or not up to date, this creates reputation and non-compliance risks and is easy to spot by both data subjects and by the EDPS. In this matter, privacy statements really function as a first line of defence and their absence can effortlessly reveal a (non-compliant privacy) fortress that is easy to take in. It is important to stress that a privacy statement should be available for all natural persons whose personal data is processed by EUIs, both EUI staff and external data subjects. In practice, think not only about the members of the European Commission, the European Parliament, Agencies, etc., but also about trainees, visitors, employees, experts and contractors.
When updating or drafting privacy statements, a lot of information from the records of processing activities may be used as a basis. At this stage, the importance of properly-generated records of processing activities will be clearer than ever.
Processing operations that are likely to pose a high risk to the rights and freedoms of data subjects are subject to performing a DPIA. In practice, this means EUIs will have to perform a DPIA when (1) the processing is listed on an EDPS established public list of processing operations or (2) the processing is likely to result in high risks according to EUIs’ threshold assessment. For more information on the necessity and methodology to conduct a DPIA, EUIs can consult the EDPS Accountability on the ground toolkit (Part I and Part II).
Who is responsible for ensuring compliance with these new rules?
The EDPS warns that, although in practice top management is accountable for compliance with Regulation (EU) 2018/1725, responsibility is usually assumed at the level of the ‘controller in practice’, being the business owner. This reasoning is justified by the EDPS, as the business owner usually is the ‘main driver’, assisted by the DPO and Data Protection Coordinators (DPCs), where appointed. For example, while top management is accountable for generating records of processing activities and performing DPIAs, it is the responsibility of the business owner to generate the records and to verify if a DPIA needs to be conducted. The DPO can clearly assist, but it is the job of every business owner to get the work done.
The key to success here is proactivity, alignment and collaboration. For a better understanding of roles and responsibilities, the EDPS has published a RACI matrix, serving as an example of the different roles involved when generating records of processing activities.
Regulation (EU) 2018/1725
Act as a team
While the controller/business owner is responsible for drafting the records, answering compliance check questions and verifying whether a DPIA needs to be performed, it is the task of the DPO to keep those records, to provide feedback on them and on other documentation, to reply to questions from controllers/business owners and to provide liaison between EUIs and the EDPS.
Other functions, such as the IT or legal unit/department may support controllers/business owners as needed.
Thanks to the Regulation (EU) 2018/1725, the EUIs set a very high standard with regard to data protection. This enables EUIs to lead by example and take proactive steps and actions in order to adopt the necessary measures aimed to ensure a secure overall environment for the processing of personal data.
* All endnotes and references are available in the brochure.