GDPR took effect across Europe on 25 May 2018, but that is the beginning, not the end. GDPR will be an evolving story and we may not know its impact for some time to come. One of the key tests of GDPR will be in its enforcement by Data Protection Authorities across Europe, who have a significant responsibility to ensure the new rules are applied effectively. They are likely to face challenges in that task.
Julian David, CEO, techUK, Cecilia Bonefeld-Dahl, Director General, DIGITALEUROPE and Mathias Cellarius, Global Data Protection Officer, SAP have joined forces to outline the important task facing data protection authorities and call for the relevant resources to tackle that task effectively.
"GDPR day was a major milestone for Europe. The EU can be proud that it has set the agenda on privacy in the digital age. But the real success of the GDPR will depend on how it is understood, interpreted and enforced.
One of the most immediate consequences of the GDPR is that Europe’s Data Protection Authorities (DPAs) are now not only privacy watchdogs but also, in effect, powerful economic regulators. Their actions and decisions will have profound implications for Europe’s digitising economy.
To fulfil the Regulation’s ambitions, DPAs must give practical meaning to individual rights whilst also supporting the ability of businesses and other organisations to innovate and grow. To this end, they need to do three things:
Firstly, commit to a long-term effort to drive understanding and not just awareness of the GDPR.
Secondly, make themselves open to effective dialogue with stakeholders and organisations within and outside the EU, to ensure a deep understanding of the implications of evolving technology and develop effective solutions to new challenges.
Thirdly, coordinate effectively through the European Data Protection Board and ensure that the ‘One-Stop-Shop’ for dispute resolution lives up to its name.
All of this will take more resources. Across Europe there are concerns that DPAs are not suitably resourced to ensure GDPR is enforced effectively. The test of GDPR will be in its application and enforcement. Regulators must therefore be in a position to meet that test, which may require additional investment. EU governments should prepare to resource their DPAs to suitable levels now."