Please enable javascript in your browser to view this site

How are European data protection authorities approaching GDPR?

The entry into force of the General Data Protection Regulation (GDPR) is now imminent. Assembly’s Privacy and Data Protection Tracker has analysed and compared the approach taken by Data Protection Authorities (DPAs) in various countries, to prepare businesses for the new regulation. Differences in approaches across countries remain, although the pan-European nature of GDPR means companies can find useful insight in the activity of all DPAs across the EU.

Despite Brexit, the UK DPA has been extremely proactive in preparing businesses for GDPR

GDPR is now on our doorstep, entering into force on 25th May 2018. Since its approval, data protection authorities across the EU have recognised the considerable effort businesses will have to make to get it right from the start, and have developed comprehensive sets of guidelines to facilitate organisations take the right steps ahead of the date.

Assembly’s Privacy and Data Protection Tracker shows that, despite the imminent departure from the EU, the UK’s DPA the ICO has been very proactive in issuing guidelines and toolkits – possibly the most proactive across the EU5. The regulator has provided businesses with general guidance on the whole regulation, and added further detail in some areas of it through more specific documentation. The ICO has already issued on documentation and on privacy by design; it is in the process of finalising the drafts on key points such as consent, legitimate interest, automated profiling, and Privacy Impact Assessments (PIAs). In March 2018, the ICO also released a guide specifically aimed at small businesses, to help them get ready for compliance.

There are at least two reasons why the ICO’s proactiveness in addressing GDPR is not as surprising as it could initially look. First, the rules of GDPR will apply to UK firms doing business with EU clients, which means a huge amount of companies would be affected by GDPR regardless of whether the Regulation stands in the UK. In particular, the tech industry with its far-reaching geographical scope has pointed out the importance of regulatory consistency between the UK and the EU after the leaving process is complete. Second, the ICO’s head Elizabeth Denham has argued that the GDPR provides the authority with more powerful tools to tackle and prevent privacy breaches, compared to existing legislation. In her hearing for the DCMS Committee’s fake news inquiry, she noted that not only are penalties heavier, but also the ICO will now be able to stop companies from processing data, or ordering deletion of data. This hits companies in their services.

In the rest of the EU5, the Italian DPA has been the most active, whereas the CNIL in France promises flexibility

Culturally, Italy tends to give high importance to privacy. It is therefore not surprising that its DPA, the Garante, published a comprehensive set of guidelines in April 2017, which were updated more recently in February 2018. These span across all areas of GDPR, and come with distinguishable recommendations. The DPA also included references to past cases, to frame its own thinking and give indication of how it could decide in future relevant cases. The Garante has also organised a conference open to DPOs of the private and public sector, to be held on 24 May 2018, ahead of the GDPR’s entry into force.

By contrast, the Spanish authority, AEPD, has engaged in detail in a few aspects of the implementation of the GDPR, such as risk analysis and impact assessment. It has also published more generic and comprehensive checklists and toolkits, although several aspects of the implementation of GDPR are yet to be covered. On the other hand, Spain is ahead of most of the EU5 in preparing for GDPR-related certification schemes, for which the AEPD has already made provisional designations.

Authorities in France and Germany have also been active. The CNIL in France has released a range of guidelines, and has also been explicit in saying it aims to be flexible in the first few months of the application of the rules, avoiding sanctions where possible. The approach in Germany has been, perhaps inevitably, fragmented, given the presence of one DPA for each state (Lander). However, DPAs have approved a standard Data Protection Model valid across the federation.

Businesses across the EU can refer to guidelines of any DPA, and of the Article 29 Working Party

As GDPR is by all means a pan-European regulation, companies in countries where the regulator has not been very proactive in issuing guidance and engaging with industry can broadly rely on the documentation issued by other DPAs, as this is likely to provide relevant and sensible insight on what to do in any country.

If in doubt, companies can refer to the guidelines issued by Article 29 Working Party, which groups together all DPAs in the EU; such guidelines are also likely to provide a good indication on how the upcoming European Data Protection Board will make decisions. This body will be a key instrument in ensuring a consistent application of GDPR across the EU, and will keep DPAs’ actions and decisions under scrutiny since its inception.