The accountability asks for a new European Directory on the GDPR. It takes a list of pronunciation and measures, guideline and codes of conduct. You have to match a maximum of sanctions of general relevance. You have to construct, and we are already late, the European GDPR digesto or if you prefer did European database, indexed and ready to use, languages countries that use the GDPR.
From one hand, it is a problem of guarantee, unavoidable and undeferrable respect to the application of sanctions.
From the other hand it is a culture problem: either we up with the education of personal data protection’s duty or will be irremediable the struggle with robots and the humans behind the robots will be irreparably jeopardised.
All European data protection authorities have the legal basis and must find resources for European Digest of privacy. They have the legal base. It is written in the article 57 GDPR:
“…each supervisory authority: …. b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;”
They should find resources because at that time in which the Society of human became the Information Society, the right to processing information is the most important part of Human Rights.
It is a problem, they said, guarantees for the implementation of sanctions.
The GDPR is a regulation that imposed an amount of documentation of choices made (this means a lot of bureaucracy) and implemented measures, but it is full of general formulas.
In addition, each disposal is combined with a sanction. How you operate there’s a solution. And this compared to vague and indeterminate precepts.
We must put aside this proposal for a while, but we want to leave it, the convention for which is a system of of administrative sanction replace those penal ones (prohibition of bis in idem), offences must be described with the maximum precision and not with the maximum vagueness: we can’t renounce to the truth that we must have respect of the principle of liability, which makes predictable the reaction of the authority; and we can not resign ourselves to the indetermination, which it leaves into the doubts if you act wrong or not.
However, if we are not going to make a prediction as to whether or not we will be punished, we need a system of guarantees to be able to make a prediction, but only for a moment.
We must have an explanation, an illustration of the vague rules. And how do we do this? This is indicated to us by a phrase captured in a regulation of the insurance supervisory authority (Ivass):
“In matters governed by rules of principle, of a general or management nature, consistent with the need for certainty and predictability of the sanction, IVASS assesses the conduct taking into account any general measures or instructions issued in order to specify, where deemed necessary, the content of the precept. IVASS assesses the case also in the light of any corrective action taken against the recipients, including warnings, orders, prohibitions and other special measures, including the removal of representatives” (Article 8, paragraph 2, Ivass Regulation No. 39 of 2 August 2018).
The GDPR also requires consistency with the requirements of certainty and predictability of the sanction and requires general measures and instructions and also measures of a special nature (recalls, orders, prohibitions for individual operators). But all this is not enough. We need a system of widespread and widespread knowledge, ready and easily available, updated and complete.
Everyone must be able to know what “correctness” of the treatments means, for example, or “large scale” or “high risk” and so on.
Everyone must know this with concrete case studies, not with paraphrases full of useless synonyms, because they are general and vague like the original text.
The life of the GDPR is full of concrete events, stories of life lived, experiences of companies and public administrations, episodes evaluated by guarantors and judges.
We are in a time when the technique allows the cataloguing, indexing and instantaneous dissemination of a sea of information. And for the Gdpr the priority is precisely this: to share the concrete case studies. Only this widespread knowledge feeds awareness, only awareness modifies behaviour, only conforming behaviour consolidates a culture.
Let’s think of a collection of cases on the DPO, on who has to appoint him, who can be appointed, what tasks he can perform, what tasks he does not have to perform; let’s think of a dynamic working group that collects, censuses, translates, synthesizes and makes information available free of charge, in an immediate way and to everyone.
A support of this kind makes the decisions of the supervisory authorities homogeneous, builds a news substrate to enable businesses and public administrations to adapt, improves people’s lives.
SOURCE: FEDERPRIVACY