With the European Commission set to carry out the first significant review for the General Data Protection Regulation (GDPR) in May, it’s unlikely we’ll see sweeping changes of the regulation’s underlying requirements.
What may well change, however, is how the GDPR is enforced. Because GDPR has traditionally relied on a decentralised enforcement model, how it is enforced can create many challenges for both regulators and businesses seeking to comply with the law.
Here’s a look at the current approach to GDPR enforcement, and how it could potentially change in the future.
GDPR enforcement: The basics
The GDPR is a European Union regulation, and its requirements are the same across all EU member states. However, under the current approach to GDPR enforcement, each EU member state’s data protection authority (DPA) is responsible for interpreting and enforcing the GDPR. This is because there is no centralised GDPR enforcement agency. The EU doesn’t enforce the GDPR; it spreads accountability to each individual country.
Further, the EU member state responsible for GDPR enforcement against a given company is the state where the company has the largest presence – even if the company also operates in other parts of the EU. This approach, known as the ‘one-stop-shop’ mechanism, means that the DPA in the specific member state where the company is headquartered is responsible for enforcing against any GDPR violations that took place in a different country.
For example, Ireland – which is home to the main EU offices of many large tech companies – could find itself having to enforce the GDPR in response to an issue involving the personal data of citizens in Sweden or Poland, in the event that a company whose main office is in Dublin also operates in those other countries.
This makes enforcement especially complex when it involves companies with a cross-border presence.
Where GDPR enforcement gets tricky
The current approach to GDPR enforcement presents major challenges for regulators and businesses alike.
For the DPAs that report to the European Data Protection Board, the decentralised enforcement model means each state member state must maintain its own enforcement operations rather than consolidating the administrative and legal efforts of enforcement via a central body of resources.
In addition, the decentralised model places the onus on individual member states to interpret the GDPR requirements on their own. So, regulators in one country may need to invest time assessing a GDPR interpretation issue that has already been settled by another country’s enforcement agency.
At the same time, having to interpret GDPR in what can feel like a siloed process may lead to inconsistent enforcement. Although no major differences of opinion have emerged to date between different enforcement agencies, nuanced divergences in interpretation are possible – and when it comes to compliance, nuance is often what matters most. If decisions made by one enforcement agency contradict those issued by another in even a small way, companies may struggle to understand exactly how to interpret a GDPR requirement.
A better approach to enforcing the GDPR
There are two main ways to address the current difficulties surrounding enforcement.
Centralised GDPR enforcement
Last year, the EU proposed new GDPR enforcement rules in a way that some observers viewed as a signal that it plans to shift toward centralised enforcement – but at present, there is no concrete indication that this will happen.
Centralised enforcement would certainly add efficiency and consistency to the enforcement process. However, implementation could take years, and even once it’s in place, there’s a risk that member states may disagree about enforcement decisions because one member state could take issue with rulings made by the central enforcement agency.
Enhanced enforcement guidelines and processes
The other foreseeable approach is for the EU to stick with its current decentralised approach to GDPR enforcement, but to invest in measures that would make enforcement more consistent and efficient.
For instance, regulators could encourage member states to share data with each other more consistently. Currently, there is no systematic process for enforcement authorities in one country to learn what their counterparts elsewhere are doing to address GDPR violations by a particular company. The ability to collaborate more effectively across borders would improve the efficiency of enforcement operations (because regulators would not need to duplicate each others’ work as often) while also breeding consistency and consensus about how to interpret the GDPR.
Developing clearer guidelines about GDPR interpretation would help, too. As a principles-based framework, the GDPR can be overwhelming to interpret, making it challenging for businesses to comply and for enforcement authorities in various countries to determine when a violation has taken place. Centralised interpretation guidance in the form of clarifications about complex GDPR requirements or examples of successful compliance would help ensure more consistent and efficient enforcement of the GPDR, even without a centralised enforcement agency.
GDPR will continue to evolve in the years to come, with enforcement top of mind when considering future amendments.
In many respects, rather than rethinking the entire enforcement model, the bigger priority remains around making consistent enforcement guidelines and processes more accessible. This will be the key issue to follow for businesses seeking to adapt to changing GDPR enforcement practices.
Martin Davies is audit alliance manager EMEA at Drata.
Read more
GDPR compliance: what organisations need to know – The EU GDPR remains one of the biggest changes to data protection compliance globally, and organisations must be prepared
GDPR — How does it impact AI? – As the GDPR turns five, how has its relationship with AI evolved?
6 steps to GDPR compliance – Here are six steps that your organisation should follow in order to stay compliant with the EU GDPR regulations