Accountability and Enforcement Aspects of the EU General Data Protection Regulation:Methodology for the Creation of an Effective Compliance Framework and a Review of Recent Case Law

The General Data Protection Regulation (GDPR), which has been applicable within the EU/EEA since 18 May 2018, has brought about reinforced rules on personal data protection which have dramatically shifted the paradigm for all organisations bound by them. This includes not just those which actively handle personal data as a core part of their business model, but also those which are required to handle personal data (on employees, customers or suppliers, for example) as part of their day-to-day activities – in other words, all organisations falling under the GDPR’s scope. By holding organisations responsibile for their own compliance, and requiring those organisations to carefully assess the risks to the rights, freedoms, and legitimate interests of individuals when implementing measures to address these rules, the GDPR demands a higher level of accountability from all organisations concerned – the ability to not only comply with the rules, but to also demonstrate that compliance has been achieved. To help organisations understand how they can address the practical implications brought about by the GDPR, this article seeks to break down a proposed Data Protection Compliance Framework – six overarching steps which, if correctly and comprehensively implemented by those organisations, will allow them to make the necessary adjustments to their internal practices to align with the GDPR’s requirements. To highlight the importance of implementing such a Framework, the article also explores the different types of powers granted to supervisory authorities in order to enforce the Regulation, and includes a selection of relevant supervisory authority decisions to allow insight into common types of GDPR breaches, and common enforcement responses (including fines) taken by those authorities

Accountability and Enforcement Aspects of the EU General Data Protection Regulation: Methodology for the Creation of an Effective Compliance Framework and a Review of Recent Case Law

The General Data Protection Regulation (GDPR), which has been applicable within the EU/EEA since 18 May 2018, has brought about reinforced rules on personal data protection which have dramatically shifted the paradigm for all organisations bound by them. This includes not just those which actively handle personal data as a core part of their business model, but also those which are required to handle personal data (on employees, customers or suppliers, for example) as part of their day-to-day activities – in other words, all organisations falling under the GDPR’s scope. By holding organisations responsibile for their own compliance, and requiring those organisations to carefully assess the risks to the rights, freedoms, and legitimate interests of individuals when implementing measures to address these rules, the GDPR demands a higher level of accountability from all organisations concerned – the ability to not only comply with the rules, but to also demonstrate that compliance has been achieved. To help organisations understand how they can address the practical implications brought about by the GDPR, this article seeks to break down a proposed Data Protection Compliance Framework – six overarching steps which, if correctly and comprehensively implemented by those organisations, will allow them to make the necessary adjustments to their internal practices to align with the GDPR’s requirements. To highlight the importance of implementing such a Framework, the article also explores the different types of powers granted to supervisory authorities in order to enforce the Regulation, and includes a selection of relevant supervisory authority decisions to allow insight into common types of GDPR breaches, and common enforcement responses (including fines) taken by those authorities

D2.7 CONCEPTUAL MODEL & REFERENCE ARCHITECTURE

The third and final version of the PolicyCLOUD Conceptual Model & Reference Architecture (originally submitted as Deliverable D2.2 in September 2020 [20] with the second version submitted as D2.6 in June 2021 [21]) is presented in this document. The PolicyCLOUD Conceptual Model presents the overall project concept along 2 main axes. Along the first data axis PolicyCLOUD delivers Cloud Gateways and APIs to access data sources and adapt to their interfaces so as to simplify interaction and data collection from any source. Along the second main axis, the Policies Management Framework of PolicyCLOUD allows the definition of forward-looking policies as well as their dynamic adaptation and refocusing to the population they are applied on. Based on the project’s offerings along the main two axes of the Concept, five main building blocks (in a layered manner) define its Architecture: (1) The Cloud Based Environment and Data Acquisition, (2) Data Analytics, (3) the Policies Management Framework, (4) the Policy Development Toolkit and (5) The Marketplace. The architecture also includes a Data Governance Model, Protection and Privacy Enforcement and the Ethical Framework as depicted in Figure 2. The architecture allows for integrated data acquisition and analytics. It also allows data fusion with processing and initial analytics (see 7.6.5) as well as seamless analytics (see 7.6.6) on hybrid data at rest. Integration in PolicyCLOUD follows three directions: (i) architecture integration, (ii) integration with the cloud infrastructure and (iii) integration with Use Case scenarios through the implementation of end-to- end scenarios. Additional integration activities take place along the two frameworks of PolicyCLOUD, (a) the Data Governance model, protection and privacy enforcement mechanism and (b) the Ethical and Legal Compliance framework. For end-to-end data path analysis we have used two Use Case scenarios: (i) the scenario of Use Case 1: “Radicalization incidents” and the scenario of Use Case 2: “Visualization of negative and positive opinions on social networks for different products”. The new updates in this final document provide the following: Analysis of how External Frameworks can be integrated with PolicyCLOUD (section 7.6.11.4); Presentation of the overall Conceptual View and architecture of the Data Marketplace (section 7.9.1); Outline of the mechanisms developed for initialising the Policy Development Toolkit with Policy Model components and the visualization of results (section 7.8.3); Analysis of the Ethical and Legal Compliance Framework positive interventions to the PolicyCLOUD architecture, including the addition of specific fields/parameters to the registration Application Programming Interfaces to be populated with details regarding each individual analytics tool and dataset/data source (section 7.5); Presentation of the integration of the Data Governance model, protection and privacy enforcement mechanisms with the Policy Development Toolkit, the cloud gateways and the marketplace (section 7.10.2), and within the same context, the integration of EGI-Check-in with Keycloak including the integration of the Data Governance model, protection and privacy enforcement mechanisms with the Kubernetes cluster. The document also addresses the Reviewers’ comments to the previous version of the deliverable (Deliverable D2.6), included in the second review report. In order to address these comments, additional updates of Deliverable D2.7 include: (i) links to specific user/stakeholder requirements (D2.5), (ii) descriptions and implementation details for the two remaining pilot Use Cases (Sofia and London) and (iii) reference to EOSC and to the role of the Conceptual Model & Reference Architecture document for the identification of the relevant services and of their providers, and description of the onboarding process based on Deliverable D3.4 [22].This deliverable is submitted to the EC, not yet approved