Background
In October 2019, the Digital Summit's Data Protection Focus Group published a ‘Draft Code of Conduct for the Use of GDPR-Compliant Pseudonymisation’ (available (here in version 1.0, also available here in English). The draft was developed through collaboration between various experts from industry and public authorities, such as the data protection supervisory authority and the Federal Office for Information Security.
Several members of the focus group have decided to further develop the draft and submit it for official recognition by the data protection supervisory authori-ties in accordance with Art. 40 GDPR. In consultation with the focus group, Bitkom e.V. and GDD e.V. will co-ordinate the further development in terms of content and organisation and assume code ownership. SCOPE Europe bvba and SRIW e.V. (Selbstregulierung Infor-mationswirtschaft) are intended to act as private and independent monitoring bodies in accordance with Art. 41 GDPR.
Key content
In its current version, the pseudonymisation code of conduct specifies an appropriate management process for the pseudonymisation of personal data. As a man-agement process, the code of conduct focuses on the process and its documentation, as well as regular evaluation. This approach takes into account the fact that, on the one hand, the specific, appropriate technical and organisational implementation varies greatly depending on the application, and on the other hand, a controlled management process can ensure that the implementa-tion is fundamentally and continuously appropriate. Especially for processing entities that do not deal with the implementation of pseudonymisation procedures on a daily basis, a management process provides targeted guidance and prevents essential aspects from being unintentionally overlooked.
Estimated cost framework for conformity procedures
Based on the current content of the code of conduct, initial concept ideas have already been developed with regard to monitoring in accordance with Article 41 of the GDPR. Subject to the recognition of the code of conduct and accreditation of the planned monitoring procedures, the annual costs for proof of conformity are estimated at approximately EUR 1,500 per pseudony-misation process. Due to economies of scale and the strong willingness of the current participants to make the code of conduct accessible to small and medium-sized enterprises, it seems possible to reduce the annual costs – at least for small and medium-sized enterprises – to a mid-three-digit amount, provided that a reasonable minimum number of pseudonymisation processes are subject to the code of conduct.
Participants
The draft is actively supported by various stakeholders. In addition to Bitkom, GDD and SRIW / SCOPE Europe, these include
- Axciom Deutschland GmbH
- Bundesdruckerei GmbH
- Deutsche Telekom AG
- Media Broadcast GmbH
- United Internet AG
- Stiftung Datenschutz
Discussions with other companies are currently underway.
Next steps
Building on the excellent work of the focus group, the material requirements of the draft were further devel-oped into a recognisable version, supplemented by rules for the administration of the code of conduct (‘governance’) and its monitoring (‘monitoring’). In accordance with the guidelines of the European Data Protection Board, it was determined how and under what conditions future material changes will be made, how and under what conditions processing entities can submit to the code of conduct, and what fundamental, conceptual requirements are placed on monitoring. Last but not least, this also means developing a cost and fee model without jeopardising accessibility for SMEs.
The next step is to submit the current version of the code of conduct to the competent lead supervisory authority for formal approval. As a transnational code of conduct, it must undergo the consistency procedure at the European Data Protection Board.
For future versions of the code of conduct, it is planned to supplement the management process with sector-specific modules. Such modules could then be tailored to specific application scenarios. This would also allow the code of conduct to include considerations of inter-ests or specific technical and organisational measures. Accordingly, it would then be possible to have this rec-ognised by the data protection supervisory authorities.