Privacy Officers Network

10 July 2003

Cambridge

Overview

Ways of demonstrating compliance with data protection laws to the national Data Protection Authorities.

The Binding Corporate Rules Option for International Data Transfers

Jonathan Bamford, Assistant Commissioner, UK and Member, Art. 29 Data Protection Working Party

  • The Article 29 Data Protection Working Party's Working Document adopted on June 3rd, 2003 (WP74) (www.europa.eu.int/comm/privacy)
  • Overview of the Binding Corporate Rules Option
  • A useful global alternative to model contracts for international data transfers?
  • The range of views held by the national Data Protection Authorities (DPAs) and the European Commission
  • Members’ assessment of the tangible benefits for their organisation
  • Advantages eg. more room for flexibility
  • Disadvantages eg. DPAs may want access to internal audit reports etc.
  • Legally enforceable? Other points?
  • Recommendations to the Art. 29 Data Protection Working Party and the European Commission?

Towards an EU wide DPA notification scheme?

Jonathan Bamford, Assistant Commissioner, UK and Member, Art. 29 Data Protection Working Party

Relative merits of:

  • Home country notification
  • Identical notification but companies have to provide a version to each DPA in its own language(s)
  • Ways of closer approximation of notification requirements by national DPAs
  • Other ways to simplify the notification process?
  • Which DP Authorities are interested in this proposal?
  • The role of the European Commission
  • How long will an EU wide notification scheme realistically take to achieve? 

Towards compatibility in DP audit methodologies?

  • Would national DPAs accept the methodology of another country eg. Netherlands, UK, others?
  • Common accreditation scheme?
  • Link with CEN privacy standard?

Exchange of members' experience on conducting a risk assessment for prioritising and tackling data protection compliance issues

  • Members' dialogue with the PL&B 16th Annual International Conference speakers and EPON members who gave conference presentations covering risk assessment: Trevor Chew, Group Data Protection Policy Manager, HBOS; Helen Isaacs, Legal Business Manager, Kodak; and Anita Fineberg, Corporate Counsel and Chief Privacy Officer, IMS Health
  • All members are invited to describe their risk assessment methodology and share their experience