31 Jan 2018
The General Data Protection Regulation (‘GDPR’) has been causing quite a stir since its adoption and entry into force; and now more so than ever with the 100-day countdown to its implementation date steadily approaching. With harsh penalties awaiting to be imposed on non-compliant entities as of the 25 May, data controllers and processors have been frantically attempting to ensure that all their processes, procedures, and policies are in order and compliant. Data protection considerations have been at the forefront of the European Union Commission’s (‘Commission’) agenda for a while, and this resulted in the publication of a guidance intended to facilitate a “direct and smooth application” of the GDPR rules, as well as the launch of a new online toolkit which will serve to help stakeholders in their preparations for the GDPR.
In its guidance, the Commission acknowledged its awareness of the ongoing preparations being undertaken to ensure compliance with the GDPR, and explained that the intention was to take into account the work that has already been done and to look into any further actions that may be useful to ensure that everything is in place on the coming into effect of the regulation. An Expert Group consisting of EU Member States’ public authorities was set up, which has been serving as a forum for Member States to share their experiences and expertise on this matter. There have also been a number of meetings between the Commission and individual Member States’ authorities whereby national issues were discussed.
The proliferation of the digital economy has led to the inevitable transfer of personal data to third countries, and this situation has been raising concerns on the transfers of personal data to third countries not having adequate safeguards. The Commission’s vision is for the GDPR’s principles to be echoed on an international scale; it has expressed plans to work closely with the Council of Europe to achieve the modernisation of Convention 108, as well as with key trading partners in Asia and Latin America to probe the prospect of adopting adequacy decisions for the transfer of data to these third countries. Furthermore, the Commission has acknowledged that a “one size fits all” approach would be destined for failure, and has thus been working on the development of alternative transfer mechanisms, particularly to serve the needs and requirements of specific industries. These proposed alternative transfer mechanisms include the diversification of the existing standard contract clauses, which would consist of either the adoption of new sets of standard contract clauses, the introduction of supplementary clauses to the existing ones, which clauses would include specific safeguards ranging from technical and organisational measures to “business-model related solutions”. These measures will undoubtedly be a welcomed change to the current “universal” standard clauses which offer little to no flexibility to cater for industry-specific demands.
The Commission guidance also discussed the remaining steps which need to be taken in preparation for the GDPR; it mentioned the fact that only two Member States, Germany and Austria, have already adopted the relevant national legislation to complement the GPDR, and it emphasised that operators need to be given enough time to comply with the provisions before the 25 May. It also stressed that it is crucial for the European Data Protection Board (‘the Board’), as successor of the Article 29 Working Party, to be fully operational as of the latter date, as the Commission feels that it will be essential for the consistent application of the regulation, in particular as the Board will not only be issuing guidelines as to the application of data protection rules, but will also be tasked with issuing binding decisions where there are cross-border issues. Furthermore, Member States are being encouraged to ensure that their respective data protection authorities are afforded adequate human, technical, and financial resources to effectively carry out their tasks and functions. However, this appears to be discretionary rather than compulsory, and it will be interesting to see what level of importance individual Member States will give to the protection and enforcement of GDPR principles through their supervisory authorities; it will undoubtedly be a greater challenge for national authorities to carry out their powers and functions on a large scale with limited resources.
Finally, the Commission is stressing the importance of all stakeholders being adequately informed and aware of the changes that are happening, and those that are yet to take place. The Commission is particularly wary about the lack of awareness of SMEs in this regard. It tasks national data protection authorities with raising national awareness and familiarising their citizens, as data subjects, with their rights. The Commission is insisting on training and awareness being carried out and intensified with particular focus on SMEs. To assist with this endeavour, the new online toolkit is providing publicly available guidance materials to help businesses, particularly SMEs, to comply with the rules they are also inevitably subject to. The tool is available in all EU languages, will be regularly updated, and contains content for all stakeholders, including data subjects, businesses, and public administrations.
The Commission’s message is loud and clear: the looming GDPR is almost here, and non-compliance is not an option anymore.
WH Partners is actively committed to assisting its clients with their GDPR compliance needs. For more information please contact: email@example.com
Author: Talisa Krauer, Associate at WH Partners.
 Communication from the Commission to the European Parliament and the Council on stronger protection, new opportunities – Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018, Brussels, 24.1.2018, COM(2018) 43 final
 Communication from the Commission to the European Parliament and the Council on exchanging and protecting Personal Data in a globalised world, Brussels, 10.1.2017, COM(2017) 7 final
 Brussels, 10.1.2017, COM(2017) 7 final
 Brussels, 10.1.2017, COM(2017) 7 final