On May 25th GDPR celebrated it’s two years anniversary. The European Commission announced its two-year review of the EU General Data Protection Regulation will be released sometime in June. The review was originally scheduled to be presented April 22 before being put off for undisclosed reasons.
In general all parties agree: the GDPR has been a success.
Especially in the private sector, the Regulation has seen a big increase of awareness for privacy and data protection issues. Many organizations have implemented far-reaching privacy programs, to ensure the personal data of their employees, business partners and customers is well protected. And if something goes wrong, they are much more forthcoming to report a breach than was the case in the past, if you look at the total number of data breaches reported thus far.
Also the ‘extraterritorial’ influence of the GDPR is noticeable. Countries around the world have adopted legislation to bring their own privacy laws more in line with GDPR, or are in the process of doing so.
For small or mid-market players however the cost of implementation are relatively expensive., compared to bigger companies They had to assign about two people out of a workforce of 200 to implement GDPR.
June will be also an important date on Brexit. The British government revealed that if sufficient progress is not made on a trade deal with the EU by June, then London’s negotiators would pull out of talks and the government would spend the rest of the transition period preparing to move the UK onto World Trade Organization (WTO) terms with the EU. Prime Minister Boris Johnson said he is planning to hold Brexit trade talks with European Commission President Ursula von der Leyen in June, with hopes of securing a deal before autumn. Johnson and his government have repeatedly resisted calls to extend the Brexit transition period despite the coronavirus pandemic.
In the mean time traditional privacy norms are being challenged by the COVID-19 pandemic as attempts are made to identify, treat and mitigate spread of the deadly virus, especially with contact tracking apps, but also with extending telecom laws. The Irish DPC issued a guidance on videoconferencing, no doubt reflecting the exponential increase in the use of video conferencing apps. The guidance is practical and helpful, particularly for smaller organizations. The DPC has also issued guidance on “protecting personal data when working remotely” and “guidance for data controllers on security.”
For many organizations, it may seem that the GDPR has become business as usual; one of many elements of their global compliance strategy. For many others, it remains a continuous struggle.
Supervision and enforcement of the GDPR remains problematic. The GDPR has not achieved one of its main goals: full harmonization. Authorities of different countries have different priorities and different approaches. Doing business on an European level is still complex. Companies located outside of the European Economic Area still need specific, dedicated actions tailored to their business, like a representative, adopted privacy statements and processor agreements with parties handling the personal data of their European Customers.