Home

Why data protection authorities do need to facilitate software companies

Laurens Mommers

COO

The GDPR has been in force for five months. While most publications focus on the (hefty) sanction regime, the GDPR is mainly about accountability. It provides data subjects with rights to take control over their own personal data and obliges organisations to facilitate these rights. It also requires organisations to have much more insight into their own data processing activities. This is primarily reflected in three documentation obligations: for processing activities, for data protection impact assessments and for data breaches.

Three questions to data protection authorities

Because many of our customers ask us whether we can facilitate the automatic transfer of internal data breach notifications to the relevant supervisory authorities, we recently sent a letter to all European data protection authorities, asking three questions:

  1. Is your organisation planning to provide an API (application programming interface) in order to communicate on data breaches?
  2. Is your organisation planning to standardise the breach notification form together with other supervisory authorities?
  3. Is your organisation planning to provide other facilities that will be relevant to software companies in the GDPR compliance domain?

On the positive side, we already received seven responses in two weeks' time. On the negative side, quite a few answers were 'no'. Regarding the first question, the Slovenian authority gives a perfectly valid reason: the low volume of breaches up till now. The Dutch authority will evaluate the need for an API in the course of 2019.

Regarding the second question, only the Slovenian authority indicates that they have adopted the breach notification model made by the European Data Protection Board. Most other authorities indicate that they, at least for now, do not have plans to use the model instead of their own form.

Regarding the third question, the Dutch and Austrian authorities indicate that they will provide an English translation of the form. The most striking answer comes from the Swedish authority though: "No. The task of the Swedish DPA is to ensure that people are protected against their personal privacy being violated through processing of personal data, not to facilitate for software companies."

Misconception of the GDPR

In my opinion, this is based on a clear misunderstanding of the GDPR and the accountability obligations it contains. In the end, the GDPR is there for two purposes: to protect data subjects (as part of EU’s human rights protection framework), and to improve and further the cause of the internal market through harmonisation of privacy regulations.

The internal market requires the removal of as many barriers for the four freedoms (free movement of goods, capital, services and labour) as possible. It thus makes perfect sense to harmonise the forms to submit breach notifications across the EU. Obviously, this would make it easier for organisations working in multiple EU member states to communicate with all supervisory authorities in the same manner.

What's more, supervision under the GDPR not only concerns breaches, but also information on processing activities and impact assessments. This means that effective supervision would require supervisory authorities to go through voluminous quantities of data to find suspicious patterns. This is where APIs could play a crucial role. APIs are a means of automating communication between software applications. Use of APIs could facilitate easier communication and direct connection to organisations' data, as and when required.

False dilemma

To be honest, I was baffled by the Swedish authority’s response to the third question. I would sincerely hope that a supervisory authority understands that this a clear-cut case of 'false dilemma'. In fact, standardisation and building APIs could support software companies in making software easier to use, thereby facilitating organisations in complying with accountability obligations. This in turn, would support the very backbone of the GDPR  - the protection of the rights of data subjects.

 
gdpr guide