RD428 - ETNO on GDPR implementation
ETNO would like to express its views on how to ensure a proper implementation of the GDPR in view of new digital business models and technologies such as IoT, Big Data, 5G and Connected Cars. In light of these enormous technological developments, input from the industry and from experts will be crucial during the implementation phase.
In the last months, even before the formal adoption of GDPR by Member States and European Parliament, Art. 29 WG, EDPS (before becoming EDPB) and the European Commission have been working in the definition of the priorities for the implementation process. This work is ongoing and ETNO strongly believes that the input from the industry is key at this stage:
- In the definition of the priorities
- In the necessary and systematic exchange with industry especially vis-à-vis the future EDBP guidelines, Authorities should consult with business before issuing any guidelines
In this context, ETNO welcomes Art. 29 WG Statement adopted on 2nd February regarding the 2016 action plan for the implementation of the GDPR which aims to draw the priorities for the transition into the new legal framework.
Towards more Transparency
ETNO considers enhanced transparency is needed (as this has been one of the weaknesses of Art. 29 WG in the past), and therefore welcomes this element as one of the priorities identified in Art. 29 WG action plans. ETNO would like to stress:
- Need for regular interaction between industry and Art. 29 WG (and the new EDPB) which will provide the adequate input and guidance on provisions that need further interpretation (eg.: Data Portability)
- Need for a harmonized approach between national DPAs in their application and enforcement of the GDPR in order to avoid fragmentation within the EU Digital Single Market and to avoid undermining one of the key achievements of the GDPR, a single EU data protection regime.
Towards a pragmatic and forward-looking interpretation of the GDPR
ETNO considers additional industry input would be necessary regarding the following issues:
- Scope and Principles (Chapters I & II)
o Definition of personal data, definition of pseudonymisation (art. 4) as key concepts in the clarification of the scope of application of the Regulation.
o Guidelines on Pseudonymisation, which haave been recognized by GDPR as an appropriate safeguard and, as such, need to play an important role in case of further processing (Art.6.4.e.)
- Rights of the Data Subject (Chapter III)
o Data Portability (art. 20), seen as a key right that can change the relationship between citizens and companies
- Guidance for controllers and processors (Chapter IV)
o Notion of risk and the need to modulate compliance using a Risk Based Approach (what is “risk”? what is “high risk”?).
o Notification of security breaches
o Data Protection Impact Assessment (PIAs)
o Privacy by Design and Privacy by Default
o Figure of Data Protection Officer (DPO)
o Codes of Conduct and Certification (there are huge expectations on Certification as it can be a simple tool to ensure compliance and bring confidence)
- One-Stop-Shop and consistency mechanism (Chapters VI & VII)
o European Data Protection Board as new governance model
ETNO would be delighted to contribute to the ongoing work towards a successful and consistent GDPR implementation with the perspective of a major European Trade Association, whose members are not only data controllers of more traditional telecommunications services but are actively involved in new services (Cloud, Big Data, Connected Cars) having sometimes the role of controllers and sometimes the role of providers.