The finalised guidance contains 3 main changes from the draft guidance (which we covered here):
1. No stream-lined personal data breach reporting
The draft guidance suggested that it would be helpful for an organisation to identify its main establishment, because the organisation would have to report a personal data breach to the supervisory authority for this establishment. This suggested a stream-lined approach to data breach reporting (at least where breaches had cross-border effect).
This example has now been deleted.
The Working Party is due to issue guidance on personal data breach reporting later this year, so we will need to wait for this to see if data breaches will need to be reported to multiple authorities. However, given this edit, this seems likely.
2. Joint controllers and lead authority
A brief, new, section is added on this. The guidance notes that GDPR does not address this topic. It states that in order to benefit from the one-stop shop principle, joint controllers should designate one establishment which has the power to implement decisions about processing with respect to all of the joint controllers. This establishment will then be the main establishment.
Where independent organisations act together as joint controllers, there are often arrangements for consultation and majority decision making. There may be considerable difficulty in giving power to one establishment in this way. This may make the concept of lead authority for joint controllers theoretical.
3. Lead authority and processors
Greater emphasis is given to the fact that if a case involves a controller and a processor, that the competent lead supervisory authority will be the lead authority for the controller. The guidance goes on to note that where processors provide services to multiple controllers this will likely mean that they have to deal with multiple supervisory authorities.
The other changes to this paper are largely minor - to ensure consistency of terminology and to re-order certain sections for reasons of emphasis. Those responsible for data protection compliance in their organisation often struggle with some elements of the law which seem impractical. At one point, the draft guidance referred to 'the pragmatic way' of dealing with a matter: the deletion of this phrase from the draft guidelines may draw a wry smile from readers.
The revised guidance on the lead authority is available here. For a redline comparison with the earlier draft, click here.