Four months before the General Data Protection Regulation (GDPR) becomes enforceable the European Commission has presented the further steps that will – and should – be taken in the run up to May 25th in what it calls a concerted effort.
Moreover, in the scope of that concerted effort, between member states, data protection authorities, companies/organizations, citizens and the EC itself, guidance on the upcoming new data protection rules is presented, including GDPR guidance for SMEs and information for citizens.
For those who are fully preparing for GDPR compliance, there isn’t really anything new as it’s more for SMEs and citizens at this stage – with on top a clear message to Member States to step up their own GDPR readiness pace.
Along with the press release the EC mainly offers an overview of these ‘concerted effort’ initiatives, at the same time presenting the fruits of its own efforts, with an interactive page and several fact sheets that are brought together, again mainly focusing on small and medium enterprises and on citizens, as what is part of efforts to make EU citizens aware of their new ‘data subject rights‘ and other rights, particularly under the GDPR, in an easy to understand way.
Nevertheless, since most organizations are SMEs, since there are also overviews of the WP29 Guidelines on several topics we’ve covered, since GDPR awareness certainly can still use a boost across various types of organizations, large and small, and since there now is a sort of Commission GDPR guidance and overall data protection hub, also explaining what is happening next in the scope of GDPR, until and beyond May 25, 2018 it’s certainly worth the while. An overview.[toc]
The reform of the EU data protection framework: more than just the GDPR
You might have noted in the introduction that we said data protection instead of personal data protection. That is because the press release which the European Commission published on January 24, 2018, doesn’t only cover the GDPR, although it is the main one.
The reform of the EU data protection framework, however, encompasses:
- The General Data Protection Regulation or GDPR that replaces the previous Directive.
- The ePrivacy Regulation (not final yet) which aims to align the rules for electronic communications (ePrivacy), serving as lex specialis to the GDPR and a major overhaul as you might know (also replacing a previous Directive).
- The new set of rules governing the free flow of NON-personal data in the EU, which the EC proposed in September 2017 and for now gets less attention than the ePrivacy Regulation, which in turn gets less attention for now than the GDPR.
If you don’t know why this is: the GDPR text is officially published and now it’s a matter of that “concerted effort” to turn it into practice, which of course already happens, albeit slower on some levels, also on the level of Member States.
- getting the supervisory authorities (data protection authorities) ready, funded and aligned,
- finalizing the nascent launch of the European Data Protection Board (still the Article 29 Working Party for a short while) and
- put the mechanisms in place to monitor the consistent application of the GDPR (and as is foreseen in the GDPR text schedule a first assessment in 2019).
The ePrivacy Regulation, on the other hand, though approved by the European Parliament is not a done deal yet and for those new rules governing the free flow of non-personal data it’s also wait for now.
GDPR concerted effort steps towards Member States, DPAs, citizens, controllers and processors
The image below, which is subject of one out of five GDPR factsheets that came with the press release, show those next steps more in detail.
In particular it shows the actions by the European Commission towards 1) EU Member States, 2) Data Protection Authorities or DPAs, 3) citizens (mainly awareness and thus informing them, which answers to one of the remarks we made in an article on how EU citizens would invoke their rights) and data processors and controllers and 4) all stakeholders in that concerted effort.
You can see the launch and promotion of web guidance for citizens and smaller businesses (which is now a fact and part of the press release), contributing to the work of that European Data Protection Board or EDPB, further creation of awareness regarding the GDPR (and others) whereby a budget of 2 million Euros is foreseen to co-finance approved projects on some national levels, an ongoing gathering of feedback, monitoring and the mentioned ‘event’ and ‘report’ which, as said, is foreseen in the GDPR Articles.
What is expected from various stakeholders in that GDPR concerted effort scope
The press release doesn’t just mention the ‘concerted effort’ but also summarizes what this means for the various stakeholders, which is subject of a second of five factsheets made at the occassion of the January 2018 update.
In order for the new data protection rules to work (again, all three but for now mainly think GDPR), the European Commission stresses that “it’s important that every actor plays its role”.
GDPR member states efforts
For member states that specifically means:
Adapting national legislation the the new rules asap (however, remember that it’s a Regulation and thus binding for all). In particular, member states must now, among others:
- Repeal and amend existing laws.
- Set up national data protection authorities (which de facto in most exist).
- Make sure that the data protection authorities have the necessary funds (which, as previously written in the past hasn’t really been the case in several countries and of course does impact enforcement).
- Ensure the complete independence of those national supervisory authorities, as is stipulated in the GDPR.
For data protection authorities, which you could already find online before but are added to the package of information the EC has prepared, (especially for SMEs and certainly citizens), it means:
- Fulfil their foreseen duties in the scope of setting up the EDPB.
- Obviously ensuring the application and enforcement of the GDPR (indeed including administrative fines where and when needed).
- If needed provide guidelines to clarify application of the rules. This will be interesting as, while some countries, including the UK which is poised to leave the UK, do great jobs in this regard, in many other contries DPAs so far only provided some general stuff on the GDPR, maybe added a small app and for the rest essentially link, in particular to, among others, those WP29 guidelines.
- Promote a culture of dialog with stakeholders.
Controller and processor efforts
For companies and organizations (controllers and processors) the concerted effort really boils down to:
- Make sure your are compliant and respect the GDPR by the so-called deadline.
- In case you have doubts regarding particular rules or processing activities get in touch with your DPA (for instance in the scope of a Data Protection Impact Assessment for particular data processing activities).
For the European Commission, the concerted effort de facto means that they will do what we described before and what you could see in the previous graphic.
The press release and announced efforts that have been done, are done with the various resources for SMEs and citizens which are covered in that press release and this article and still need to be done in 2018 and beyond.
Citizens and concerted GDPR efforts
For citizens, and this again is an indication of the fact that you can expect the necessary creation of awareness in the future – and thus an informed EU citizen – it means:
- Know your rights whereby the EC explictly refers to the new big one: the right to data portability.
- Be empowered, meaning: get informed (the DPAs and EC and member states and so forth will do what they can to inform you) but also be empowered. In other words: if your data subject rights are not respected do contact the national supervisory athority a.k.a. Data Protection Authority.
A graphical overview below and at the same time the subject of a second data protection reform fact sheet (PDF here).
Further Commission GDPR guidance, links and resources
Is that it? Surely not. The press release further points you to Commission Guidance wherey you can, among others, find explanations about the regulation and data protection, as well as the background, a library and related links (including those factsheets).
There is also that illustrated interactive page where the essential rules are explained graphically with a focus on small business (part of the action plan of the EC), which you can navigate here.
Next, on top of the two mentioned PDF factsheets there are 3 more:
- One which summarizes the small business aspects (PDF downloads).
- A second one which summarizes some facts for citizens (PDF downloads).
- And a third one which explains the role of the European Data Protection Board and the various mechanisms of enforcement with the various stakeholders (PDF downloads).
A concerted GDPR effort: the Commission has a message to Member States
There is more and no doubt there will be more as the press release, on top of presenting the GDPR guidance for SMEs and the initiatives and online tools for citizens, as well as the next steps, also contains a message for EU Member States, stating that “Preparations are progressing at various speeds across Member States” and pointing out the fact that as per publication of the press release, 4 months before the GDPR compliance deadline, only two adopted the relevant national legislation.
Member States are therefore urged to:
- speed up adoption of national legislation,
- ensure the measures they take to do so are in line with the GDPR and
- ensure they do what they need to do in order to enable DPAs to do what they in turn need to do.
The Commission dedicates 1.7 million Euros to fund DPAs and train data protection professionals on top of the 2 million Euros which should enable national authorities to reach out to small businesses.
Of course, Member States as well will need to make sure they are ready for GDPR compliance, for enforcing it and guaranteeing consistent application that is.
Top image: Shutterstock – Copyright: Svetlana Turchenick – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.