5 business recommendations for EC data regulation guidance

  • 4 April 2017

The European Union’s (EU) General Data Protection Regulation (GDPR) will become law on 25 May 2018 significantly impacting every sector of business – both within and beyond EU borders.

The International Chamber of Commerce (ICC) is appealing to policymakers tasked with developing tools to facilitate implementation of the new regulation, to continue broad and periodic consultations with business before issuing guidelines for the new legal framework.

Comprising supervisory data protection authorities of EU member states and representatives from EU institutions, the Article 29 Working Party (WP29) has been mandated to develop tools and procedures that aim to facilitate consistent and effective implementation of the law.

Vice-chair of ICC’s commission on the Digital Economy Christoph Steck of Telefonica said:

With a track record of developing tools, such as model contracts and checklists for binding corporate rules, to facilitate compliance with data protection law, ICC is both a recognized and valuable resource for the European commission. As regulators seek to implement the GDPR as an effective tool to meets its goal, listening to business is a critical step in developing their guidance on GDPR provisions that need further interpretation.

As part of the working party’s regular consultations on its priorities and guidelines, a dynamic workshop, known as a Fablab, will take place in Brussels on 5-6 April. As the world business organization, ICC has welcomed this and other WP29 initiatives that aim to create an open dialogue with stakeholders and evaluate their respective needs and expectations.

Here are five recommendations submitted by ICC on behalf of global business ahead of the Fablab:

1. Provide practical, clear, unambiguous criteria to assist companies in determining the location of their main establishment which is crucial for the one-stop-shop to work effectively. ICC says this will provide companies with more certainty and avoid undue burden on regulators by reducing the instances in which they will need to address questions.

2. Assure more balanced and objective interpretation of the data portability requirements through different industry sectors. ICC believes that it is important to preserve market diversities, competition and innovation.

3. Prepare guidelines for controllers and processors involved in personal data export to third countries and provide assurances that model clauses and other instruments remain valid. Guidance for processors is particularly welcome as the GDPR includes new obligations for processors.

4. Define what is understood as “high risk” and the scope of application for the term, as well as when privacy impact assessments (PIA) may be required. ICC believes that harmonization and unified EU views on which types of processing constitute “high risk” processing – and what the data protection impact assessment (DPIA) should include – is of importance to business.

5. Present a clear and transparent understanding of the role of the European Data Protection Board and its functions/processes. ICC encourages WP29 to focus on activities which provide guidance on concrete topics (e.g. to Data Protection Officers, and lead data protection authorities) to help data controllers better implement the GDPR.