General Data Protection Regulation

The General Data Protection Regulation (GDPR) has already been in existence for four years, and has been in force for two years. How can anonymization techniques under the GDPR help Data Protection Officers (DPOs) assess innovation? I hosted a webinar with Truata that featured experts from DPAs in Italy, Ireland, and the UK to find out more about their perspective. The recording is available here (link to the webinar).  

‘A revision of the 2014 opinion on anonymization techniques is in the working program of the EDPB’

• In 2014, the European data protection authorities, assembled in the Article 29 Working Party provided guidance in their opinion on anonymization techniques.
• Giuseppe DAcquisto, Senior Technology Advisor at the Italian Data Protection Authority, said that some adjustments to the 2014 guidance are needed because there are unexplored aspects of anonymization in the GDPR: A revision of the 2014 opinion is in the working program of the EDPB.
• Ultan OCarroll, Deputy Commissioner for Technology and Operational Performance at the Data Protection Commission in Ireland, said: The 2014 opinion is still as valid as it ever was, if not more so.

‘Unexplored aspects of anonymization in the GDPR’

• D’Acquisto gave three examples where in his view the use of Privacy Enhancing Technologies (PETs) could play a role.
  1. On legitimate interest as a legal ground: “Anonymization techniques can become an element in the balancing test when you want to invoke legitimate interest.”
  2. On public interest as a legal ground: “Public interest is an opportunity when used in combination with national law.” He called on national legislators to explore the possibility of including the use of privacy-enhancing safeguards in laws.
  3. On the secondary, (in)compatible use of personal data for further processing: “Rethinking the 2014 opinion is useful to explore new opportunities for data controllers.”
  • It clarifies Article 6 of the GDPR which stipulates the lawfulness of processing.
  • Recital 50 states that the processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected.
  • DAcquisto stressed that value could be added to data in the interest of the public when applying anonymization techniques as safeguards for our rights and freedoms.

‘Time to focus on privacy risk management’

• Simon McDougall, Executive Director for Technology Policy and Innovation at the Information Commissioners Office in the UK, said that it is time to focus on privacy risk management: There is a tension between risk management and hard science.
• They struggle with the concept of residual risk and the question of what risk to accept.
• He also explained the benefits of a layered approach to privacy risk management, rather than a focus on a single technology.
• Think of it as a Swiss cheese notion of [stacked] risk management measures, McDougall said.

‘Legal and technical competences are complementary to each other’

• The broader questions around innovation, sharing of data, and repurposing of data have become particularly important in the context of COVID-19.
• Accordingly, each of the experts expressed their advice for DPOs given the developments in anonymization technologies.
• DAcquisto suggested that DPOs should not rely on either legal or technical competence alone.
• A holistic approach is needed with legal safeguards, technical safeguards, and a path toward compliance.

‘DPOs: do not go alone; get help’

• DPOs need to get access to scientists and to organizational people, but also to expert advice in terms of social science, cognitive science, interface design, or mathematics, for example.
• Do not go alone; get help, he said.
• Its not worth carrying forward without that because youll be asked questions that you may not think about.
• Instead of thinking this is all incredibly complicated, they should try to understand what the risks are for the individual and the organization.
• It is possible to keep up with it so you can then have the conversation with the right expert.

• ST. PAUL, Minn., May 28, 2020 /PRNewswire-PRWeb/ -- The Public Service Pensions Board (PSPB) of the Cayman Islands has selected Sagitec for replacing their current pension administration system.
• Neospin will comply with data security and privacy standards to meet European GDPR requirements and other stringent compliance needs of the Cayman Islands.
• The Public Service Pensions Board is responsible for administering pensions on behalf of the Cayman Islands Government, Statutory Authorities and Government Owned Companies.
• Information on the Public Service Pension Board is available on the PSPB website at: http://www.pspb.ky .

• The International Chamber of Commerce (ICC) has today launched the ICC AOKpass Declaration on COVID-19 Health Data Protection .
• Launched on General Data Protection Regulation (GDPR) Day in celebration of the landmark data privacy protection laws in the European Union the Declaration signals a bold vision for a post-COVID-19 world, working together for recovery, prosperity and the upholding of health data protection as a basic human right.
• The Declaration expressly supports placing strict health data privacy at the core of COVID-19 compliance standards and verification systems, vital for recovery efforts.
• The ICC AOKpass system, endorsed under the Declaration, will provide an international technical standard for COVID-19 compliance with strict inbuilt health data protection (also known as privacy-by-design under the GDPR).

• 64 GDPR opinion on the draft Standard Contractual Clauses submitted by the Slovenian Supervisory Authority (SA) and decided on the publication of a register containing one-stop-shop decisions.
• The EDPB adopted its opinion on the draft Standard Contractual Clauses (SCCs) for controller-processor contracts submitted to the Board by the Slovenian Supervisory Authority.
• If all recommendations are implemented, the Slovenian SA will be able to adopt this draft agreement as Standard Contractual Clauses pursuant to Article 28(8) GDPR.
• The EDPB will publish a register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art.