A Brussels report found that a lack of clarity and other challenges were complicating the task of implementing the GDPR.
My colleagues and I have been considering some of the points raised and how these have impacted the effectiveness of the GDPR initiative.
On 24 June, the European Commission released “Communication from the Commission to the European Parliament and the Council.” The report shared the results of the Commission’s first official evaluation and review of the GDPR following its implementation on 25 May 2018.
In its publication, the European Commission noted that data protection authorities (DPAs) had made progress in working together through mutual assistance along with a system of consistency and co-operation measures known as the “one-stop-shop.”
But the European Commission revealed there was still work to be done.
In particular, the government body explained that DPAs had not yet availed themselves of all the tools available via GDPR. Those resources included joint operations for the sake of conducting joint investigations. In the absence of these efforts, the European Commission explained, DPAs had commonly resorted to the “lowest common denominator.” As a result, “opportunities to foster more harmonisation were missed.”
The European Commission also explained that more work was needed to create harmony in the procedural nature of handling cross-border cases.
The implementation issues didn’t end there. In its report, the European Commission acknowledged the existence of challenges with respect to applying the standard to developing technologies such as artificial intelligence (AI), the blockchain and the Internet of Things (IoT). The Commission specifically pointed to the use of AI for remote biometric authentication as a use case for which DPAs must be prepared to address in the future.
My colleague, Chris Harris, EMEA technical director, agreed with the European Commission’s decision to focus in on these and other elements of GDPR’s implementation. As he told Computer Weekly:
“Since [GDPR’s] inception, there has been murmurs about its effectiveness due to lack of clarity on compliance and fears around the resources and power each DPA has to track and investigate the number of breaches that occur in their country. This is something that should have been sorted from the start, and not something that we are still talking about two years later – four if you include the transition period,” he said.
“To be truly effective, the EU needs to give clearer instructions on how to be compliant that are consistent across each country, while giving local DPAs more resources to pursue heavy penalties against companies that are intentionally putting their customers’ data at risk.”
The European Commission concluded its report by outlining how it intends to improve the consistent implementation of the GDPR going forward.
To promote greater harmony in enforcing cases, for instance, the Commission said that it would continue to use existing bilateral exchanges with as well as tools to foster compliance among Member States.
Additionally, the Commission highlighted the need to help bring Member States’ data protection laws together in the spirit of better securing data flows. The Commission noted that such an effort would require international negotiations as it sought to create certification mechanisms and update contractual clauses, among other changes.
So, in summary, there is still work to be done. We can only hope that a more pro-active and clearer set of responsibilities are put in place and acted upon, and that negotiations don’t add delays or further lack of clarity.
Find out how Thales enables compliance with key provisions of the GDPR to help strengthen your security posture while helping avoid financial penalties.