Less than 100 days to go, and so far only two European countries have adapted their laws to be ready for GDPR – is it time to panic yet?
Although the General Data Protection Regulation builds on the existing Data Protection Directive, and aims to harmonize rules across the European Union, many member states need to change their national laws in order to be compliant.
The European Commission has called on EU governments and data protection authorities to be ready, and on 24 January published new guidance on practical application of the GDPR, issued a special online tool to support SMEs, and pledged €1.7 million to help member states get ready with a further €2 million available to support national authorities in reaching out to businesses. Despite all this, and rising alarm, only Germany and Austria can claim to be “GDPR ready”.
According to president of the French data protection authority (DPA) CNIL, Isabelle Falque-Pierrotin, some national DPAs have expressed concern over the slow progress with GDPR adaptation laws. As retiring chair of the EU Article 29 Data Protection Working Party, an oversight group made up of all the European DPAs, she should know.
After 25 May, the Article 29 working party will become the European Data Protection Board, but national DPAs must be named as the regulator in any new laws in order to take part.
“It seems as if almost no member state has prioritised the regulation,” Dr Lukasz Olejnik, cybersecurity and privacy researcher and consultant, affiliated with Princeton’s Center for Information Technology Policy, told CPO Magazine. “In most countries, GDPR law sparks multiple controversies and heated debates, with many local players participating in this tug of war. Consequently, you can find countries seemingly trying to test the bending properties of GDPR.”
The disorganization worries businesses too. UEAPME secretary general, Véronique Willems, said: “Only two member states have already adopted relevant national legislation and are ready for the implementation. This is very worrying from our point of view. So far only five out of 13 guidelines for application by the Article 29 Working Party are adopted. This does not help to create certitude. This situation at national level can create confusion among SMEs. It is almost surreal to pretend that SMEs can comply with the GDPR by 25 May when today, less than four months away, member states have still not completed the necessary work to prepare the right environment.”
A recent report from the UK’s Department for Digital, Culture, Media and Sport found that only 38% of businesses are even aware of the incoming GDPR legislation, nevermind ready to comply.
The big selling point of the GDPR has been that a single, pan-European law for data protection, will replace the current inconsistent patchwork of national laws. According to the European Commission, the benefits for companies to deal with just one law, not 28, are estimated at €2.3 billion per year. But with many member states eyeing possible exemptions, that may not come to pass.
France and Ireland, for example, intend to make public institutions exempt from GDPR fines, and Poland plans “an impressively long list” of carve outs.
“In effect, GDPR intended as a coherent constitution of data privacy in European Union might end up being fragmented,” explained Olejnik.
“We have exemptions from fines for the state, as in France and Ireland, and exemptions to fines that can be issued for public institutions in Poland. Sometimes with paradoxes when two entities competing on the market are subject to different levels of fines. This can only be topped by further exemption of SMEs with up to 250 employees,” he continued.
“The abundant rumors about the level of compatibility of the Irish Data Protection Bill with the GDPR complement the picture. But you also have UK with an attempt to ban certain privacy research in their own bill. Then there is France where public institutions will seemingly have it easier to apply profiling.”