NEWSLETTER #5 « Risk Management, Compliance, Governance and Legal Requirements »

Risk Management, Compliance, Governance and Legal Requirements
Since we started to work on promoting EN 16571, we have discovered that there is a lot of confusion about the reasons to implement the standard. At one extreme, there are those who say that there is no legal requirement to do so. There is not, but just complying with the law has never been the benchmark of good management. Good management takes the lead as a flag bearer of best practices.

To better understand the situation, we have considered two dimensions of the issue:
• What level of rule is in place (e.g. a law, certification)
• Considering management areas closely related to RFID (e.g. data protection, system security).

In a more complete paper you can download from CNRFID/CSL website, we explore these points in more detail. Some of the detailed facts are mindblowing. Here is one: There are national laws for data protection that all organisations are required to comply with.
If the UK Data Protection Authority was to carry out an audit of all registered implementations, then the task would take 1500 years. In other words, even with a law in place organisations are expected to be responsible for good governance of data protection. This is exactly the same as was expected for RFID in the European Commission’s Recommendation, which led to the development and publication of EN 16571.

The General Data Protection Regulation – Progress at Last
The past month has seen an increase in activity to get the GDPR as European law. The first key event was that the European Council (the ministers from each country)
met on 15 June and generally agreed with the Commission’s view. 
On 24 June the first trilogue meeting took place, now also involving the European Parliament views. No detail of that have yet emerged, but when we get information it will be posted on the web site.

The time table looks like this (with acknowledgements to Hutton & Williams) * **

  • July 14, 2015 – Second trilogue meeting to discuss territorial scope and international transfers.
    September 2015 – Further trilogue meetings to debate data protection principles, the rights of data subjects and the obligations of controllers and processors.
    October 2015 – Trilogue discussions will focus on Data Protection Authorities, cooperation and consistency, and remedies, liability and sanctions.
    November 2015 – Further trilogue meetings to deliberate (1) the objectives and material scope of the Regulation, (2) flexibility for the public sector and (3) specific data processing regimes.
    December 2015 – The last trilogue meetings of the year will focus on delegated and implementing acts, final provisions and any other remaining issues.

We have also looked at the last version of the DPDR prepared by the official Rapporteur, some time before this more recent events. There are 26 references to “impact assessment” and Clause 33 is devoted to the subject. Unlike the RFID Recommendation this applies to all existing systems that have data protection implications. So ignoring the RFID PIA process will not be an option.

Whether you are an RFID operator or a provider of solutions now is the time to get involved.

*https://www.huntonprivacyblog.com
**https://www.huntonprivacyblog.com/2015/06/04/general-data-protection-regulation-timetable-trilogue-discussions/