A Comparison of the Information Regulator’s Strategic Plan and the EDPB's Work Program

The Information Regulator’s Strategic Plan for 2020/21 to 2025 was released in May 2020. The Plan is important as it provides insight into the key strategic goals which inform the Regulator's activities for the period 2020/21 until 2025. The Regulator has identified two key priorities, being, ensuring that personal information is protected and the promotion of access to information.

The Strategic Plan notes outcome indicators in the form of the number of the Protection of Personal Information Act (POPIA) related complaints and the percentage improvement compliance with s32 of the Promotion of Access to Information Act (PAIA). The Regulator has five key programmes which are:

  • The promotion and protection of personal information processed by public and private bodies in compliance with POPIA.

  • To ensure the effective implementation of the promotion of the constitutional right of access to information as provided in PAIA.

  • Education and communication activities in the form of engagement with the public and stakeholders.

  • Legal, policy, research and information technology analysis.

  • Administrative activities related to the effective management of the office of the Information Regulator.

On presentation of the Plan to the parliamentary Justice Committee in May, the Information Regulator discussed the following risks:

  • There was delay in full implementation of POPIA and the Regulator wrote to the President and the Minister of Justice and Constitutional Development to request a Proclamation to operationalise POPIA.

  • There is a delay in the full establishment of the administration of the Regulator’s office and the Regulator hopes to develop a strategy to address the financial and human resources issues affecting the Regulator’s administration.

  • The Regulator is concerned that inadequate funding will hinder its ability to effectively and efficiently fulfil its mandate. In this regard, the Regulator seeks to Secure funding from the National Treasury to fill prioritised positions on a phased-in approach.

The European Data Protection Body is guided by the EDPB Work Program 2019/2020 and its mandate comprises the following tasks:

  • To provide opinions, guidelines, recommendations and best practices for promotion of a common understanding of the GDPR and the Law Enforcement Directive.

  • To advise the European Commission on all issues related to the protection of personal data in the European Union.

  • To advance the consistent application of the GDPR, in particular in cross-border data protection cases.

  • To promote cooperation and facilitate the effective exchange of information and best practice between national supervisory authorities of EU member states.

The EDPB has developed its two-year Work Program for 2019 and 2020 and an important objective of the Program is to focus on emerging technologies. The EDPB’s work program is informed by any needs identified by the members as priority for stakeholders as well as the EU legislator planned activities. The Work Program provides an undertaking on the EDPB’s commitment to regularly monitor its implementation and update the plan if necessary.

The key activities for the period 2019 to 2020 can be summarised as follows: to provide opinions, guidelines, recommendations and best practices to promote a common understanding of the GDPR and the Law Enforcement Directive on the following:

  • Guidelines Guidelines on Codes of Conduct and Monitoring Bodies.

  • Guidelines on delisting Guidelines on PSD2 and GDPR.

  • Guidelines on international transfers between public bodies for administrative cooperation purposes.

  • Guidelines Certification and Codes of Conduct as a tool for transfers.

  • Guidelines on Connected Vehicles.

  • Guidelines on Certification (finalisation after the public consultation).

  • Guidelines on video surveillance Guidelines on Data Protection by Design and by Default.

  • Guidelines on Targeting of social media users.

  • Guidelines on children’s data.

  • Guidelines on reliance on Art. 6(1) b in the context of online services..

  • Guidelines on concepts of controller and processor (Update of the WP29 Opinion.) Guidelines on the notion of legitimate interest of the data controller (Update of the WP29 Opinion).

  • Guidelines on the Territorial Scope of the GDPR (finalisation after the public consultation).

  • Guidelines on the powers of DPAs in accordance with Art. 47 of the Law Enforcement Directive.

  • Guidelines on data subjects rights with main focus at a first stage on the rights of access, erasure, objection, restriction and limitations on these rights.

To provide Consistency Opinions on the following themes:

  • Opinion on the administrative arrangements between EEA and non EEA financial market regulators.

  • Opinion on the Interplay between GDPR and ePrivacy.

The Plan proposes that the EDPB will engage in the following activities:

  • Privacy Shield - Complete a follow-up of the Joint Review.

  • ePrivacy Regulation.

  • Procedural rules on the Supervision of EU large scale IT systems.

  • Consultation from the Commission on the Clinical Trials Regulation.

  • Reflection paper on international mutual assistance and other cooperation tools to enforce the GDPR outside the EU (Art. 50.)

  • EDPB Enforcement Strategy FATCA - Statement in response to the European Parliament’s resolution Statement on the use of personal data in the context of elections.