How DPOs can tackle the massive EDPS Microsoft 365 ???? Commission decision

April update: My key takeaway = ? stop using US-based cloud services..?

If you have anything to do with the GDPR, you probably saw that the EDPS - European Data Protection Supervisor handed down a rather embarrassing decision against the European Commission for their unlawful use of 微软 's Microsoft 365 services.

I say 'embarrassing', but could also say 'shocking'. I probably don't have to point out the irony here. Anyway, this isn't an article about the decision itself.

It's an article:

1. To help you determine if you should spend time reading the full 180 pages ????
2. if so, how you should (and shouldn’t) do it, and
3. how you can save significant time not reading the whole thing, by either collaborating with others or let someone else do the fine-reading for you.

Is it worth the hassle? If yes, here's how to tackle it

Let’s start with my initial question: Should you spend time on the decision?

• If you’re a DPO or work with the (UK-)GDPR, it’s relevant.
• Using cloud services? Even more relevant.
• Is the vendor in the ????? Stakes just got higher.
• Is that vendor Microsoft? Now it’s a non-negotiable.

?? I’m only halfway through but have already noted several key takeaways. And, as you can see from the screenshot, this is another one turning into a highlights-bonanza!

So what does it mean to ?spend time on? a new decision or ruling?

First of all, if you know you should read it, set aside time to do so. ??

And here are 4 steps on how to navigate your time as a DPO (without losing your mind).

Tackling the beast

You scheduled time, excellent!

Now, this is how you can process these documents effectively:

1?? Read: Switch on flight mode, go hide where you won’t be disturbed, and thoroughly read the document. I started yesterday and continued on page 93 today.

2?? Annotate: Highlight, underline, and scribble as you go, especially any actions that may be necessary to implement internally.

3?? Write: Create a summary and, if applicable, a list of possible/recommended actions.

4?? Share: Discuss your findings with relevant folks in the business/organisation.

5?? Implement: Get (agreed) actions done (not the DPO, obviously!)

For extensive documents, I find it helpful to create the note in step 3 immediately.

For instance, when I add a comment to a highlight, it relates to that specific text. But I often get several ?? moments during reading that don't directly fit where I'm currently focused. These insights I add to the separate note, which is also where I collate all annotations, screenshots, further resources, etc.

You can create such a note anywhere. I’ve used OneNote for years and tried Evernote, Notion and Standard Notes, but Obsidian is by far the most powerful (distraction-free!) note-taking app, in my experience.

I especially love the template feature! I have one for DPA decisions, another for CJEU rulings. It includes the standard structure I use for the DPO Hub, as well as a set of questions to spark ideas and remind me of other relevant cases, among other things.

One question is: "What did it make me remember or think about?" Whatever I'm reminded of while reading, I note in this section. When done reading and I’m in analysis mode, I ask it again.

DPO busy-ness torpedoing the process...

?? But I know that this thinking part is a luxury for many DPOs, who barely (if at all) have time to just skim important news.

And if you’re one of those overwhelmed and under-resourced DPOs, you can get away with only steps 1, 2 and 4.

But maybe you only have time for step 1, reading (quickly).

?? Considering how our brain works, that’s not a good strategy.

You’ll likely forget it shortly after. Only doing step 1 could end up as nothing more than a big time-waste.

This is why I recommend the other steps, to ensure you absorb and retain the knowledge.

(And I haven’t even mentioned how you should connect the decision/ruling to other relevant cases... that’ll be for another day.)

Let’s assume you simply don’t have the time—#DPOlife is chaotic and the quote from my ‘DPO busy-ness’ article is just too familiar:

??..if you're constantly in fire-fighting mode, there's something wrong with your job. Then you either don't have enough time and resources, or you work inefficiently and unstructured.

?So here are some options that could help you out.

How to get some help, budget or not

Option 1: You have a budget ??

If your budget allows, the DPO Hub can save you significant time (and frustrations).

I fine-read these massive decisions and share my full PDFs, highlights, annotations, grumpy comments and all. I summarise the key facts and share credible and official (re)sources.

?? Importantly, I share my key takeaways from a distinctly European viewpoint, along with thoughts on how to implement these in 'tasks to tackle', all through a pragmatic lens.

For many, it’s all about gaining a different perspective. For some, it’s about validating their gut feeling. For others, who might disagree with me, that’s equally important; getting another take on things.

Bonus: You also get to join a ????-born initiative run by an independent DPO with no commercial affiliations to big corporations anywhere!

Option 2: You don’t have a budget ??

If you have no budget for DPO Hub by Rie or other paid services, you likely know other DPOs who are utterly overwhelmed and in the same situation.

That’s your golden opportunity to join forces and split the work! The EDPS decision consists of different parts. One of you can read about purpose limitation, while the other focuses on the transfers part. Then you (e)meet to discuss your thoughts and findings. Help each other out!

To wrap up, I’ll have to mention that I appreciate how the EDPS has written the decision, quite similar to the DPC’s: comprehensive and well-structured!

Some hate this style exactly because it’s comprehensive and ‘wordy’. But for those of us who love to dive deep into the analysis of provisions, it’s intriguing.

And it’s always fascinating to read the responses from the parties! As usual, the red highlights shows where I disagree or I think something's plain wrong. Like one big chunk from one of the Commission’s responses...

Did you read it yet? What do you think, should people spend time on it?

PS: If you can't imagine touching anything more than 2 pages during Easter, then the ?? Curated DPO newsletter shortly ships a carefully curated crossword puzzle: