With new regulations come new requirements. The SIS Recast, a set of EU Regulations designed to improve the Schengen Information System (SIS) and further strengthen the protection of the Schengen Area, is no exception to that rule. Apart from a number of technical requirements, this major regulatory facelift also brings with it some challenges at the organisational level, especially for the EU Member States and their organisations. Are they ready to take them on?
Since the SIS Recast Regulations were adopted by the European Union in 2018, my colleagues and I have already written extensively about the many challenges this enhanced legislative framework poses for the EU Member States in particular. Quite understandably, at first, a lot of attention was given to the technical challenges that arise from introducing such novelties. However, (too) little has been said about the need to comply with the non-technical aspects of the new Regulations. I am thinking, more specifically, of the privacy aspects and the awareness of data protection that the EU Member States and their organisations need to raise.
As the new Regulation itself clearly states, the improvements to SIS are being introduced to “increase its effectiveness, strengthen data protection and extend access rights”. In other words: the SIS Recast sets data protection as the governing element for Member States. Data protection rules are “required to govern the deletion of alerts, the authorities authorised to access the data, the use of biometric data”, among other things.
However, data protection is not only the governing element in the design and functionality of the Schengen Information System. It also is the governing element in raising awareness about SIS and training its end-users. Consequently, “in order to be able to fully benefit from the functionalities of SIS, Member States should ensure that end-users and the staff of the SIRENE Bureaux regularly receive training, including on data security, data protection, and data quality.” (The SIRENE Bureaux is responsible for the information exchange between the Schengen Member States around SIS alerts.)
Member States: different responsibilities
It is important to note that there is a different layer or scope of responsibilities for Member States compared to other end users (Europol, Frontex, etc.) and eu-LISA, the EU Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice. As a data processor, eu-LISA is responsible for the operational management of the Schengen Information System, as well as for its design, functioning, and maintenance. However, in contrast to the Member States, it has no rights around the processing of personal data. In fact, the processing operations of the Member States distinctly differ from the processing activities of the central reference database, known as C-SIS.
As data controllers, the Member States not only have broader security obligations, they also have wider and stricter data protection obligations (see illustration below). Obviously, they need to know what data to collect, based on principles such as data minimisation and transparency, and fairness. They also need to know which legal requirements to identify, from data quality requirements to purpose and storage limitations. Furthermore, they need to know what to ensure in order to achieve data protection by design and by default and uphold the CIA data principles (confidentiality, integrity, and availability). Finally, they also need to know what to adapt and design when implementing new system functionalities. To do this successfully, they must adopt a data protection mindset, for instance.
Data protection awareness training for personnel as key step to adopting the right mindset
Beyond coping with new technical developments, some more complex than others, the SIS Recast also requires all the EU Member States - and, more to the point, their end-users - to adopt a data protection mindset. To that end, the Member States are made responsible for ensuring continuous training for their personnel on data protection, security, and fundamental rights. Or, to quote the actual Regulation itself: “The staff of the authorities having a right to access SIS shall receive appropriate training on data security, on fundamental rights including data protection, and on the rules and procedures for data processing set out in the SIRENE Manual.”
The adoption of a data protection mindset is based on a people-process-technology approach (see illustration below). In that approach, ‘people’ not only come first, they are also highly diverse, coming from many different teams all having to work together: from IT and Operations to Business and Legal. All these people need to be trained on data protection issues. This brings us to the ‘process’ part of the approach, which ensures overall compliance by design. Last comes the ‘technology’ part, which deals with the technical impact of data protection, such as risk assessments and the proper deployment of tools and technologies.
Tailored training programme
This comprehensive approach takes in all the different aspects of data protection to create an adaptive environment for practicing it. That same approach also characterises the training programme for SIS end-users which we tailored to the needs and responsibilities of EU Member State Authorities (see illustration below). If that qualification applies to you, then this is the ideal training to really instill the required data protection mindset in your SIS end-users. Not only will they find out exactly what to collect, identify, ensure, adapt, and design, they will also learn to do all that in a proactive way: another key requirement of the SIS Recast Regulations.
Struggling to implement the new SIS Regulations? Worried you won’t get your staff properly trained in time? Sopra Steria Benelux can help you tackle all your SIS challenges, both on a technical and an organisational level. So don’t hesitate to contact me.