GDPR preparations still at the very beginning throughout Europe

Friday, 11 May 2018

A look beyond the borders shows that the preparations for the General Data Protection Regulation (GDPR) are still at the very beginning throughout Europe. For the last year of the grace period there is still a lot on the agenda.

The upcoming change of regime in data protection law requires comprehensive rethinking for companies that are processing personal data: Existing and new processes are currently submitted to the Austrian Data Protection Authority. Unproblematic applications can be included with the notification. For critical applications, the authority has a two-month long examination period. Regarding international data traffic outside the European Economic Area the involvement of countries without a comparable level of data protection is only permitted with a separate approval. Hence, to date there has been only a very formal and official approach. After a notification, the Austrian Data Protection Authority examines the data processing activity and approves it, if it sees that the requirements are met. In the future, this will change with the GDPR:

Self-responsibility of the companies

In the future, the controllers will have to document their own processes comprehensively in advance and carry out the Privacy Impact Assessment (PIA). The authority can be involved in rare cases only. Henceforth it will rather serve as an ex-post control body as well as a penal body. This tough change of regime will be in force overnight: On 25 May 2018 the GDPR will be implemented after a two year transition period. Due to the fundamental changes, it is absolutely necessary for companies to work out the internal implementation from now on. Of course, this is not that easy: Austria lacks an accompanying law and interpretation aids for the clarification of those numerous points in the GDPR that were consciously left open for the member states to decide, despite the principle of full harmonization.

Austrian companies are not alone in this respect: As a current international comparison performed by the data protection team of DORDA shows, the situation in the 13 analyzed EU member states – Belgium, Germany, France, Greece, Latvia, The Netherlands, Austria, Portugal, Sweden, Slovakia, The Czech Republic, Hungary and Great Britain, that despite Brexit wants to adopt the new regime to maintain uniform data protection standards – is comparable. The highlights of our international survey:

Current situation in a European comparison

Discussions about the practical handling of the GDPR and the use of the existing opening clauses are being held in all member states. Specific drafts for accompanying laws exist in Germany and The Netherlands only. The public tore a first draft in Germany apart. A controversial second attempt followed. Apparently, the hurry before the federal election had a negative impact on the quality of the drafts. The EU-commission has also already criticized the act that seems to undermine the idea of harmonization in several parts whereas the Netherlands proceeded much more cautious and consciously, and agreed on minimal variations. After several postponements, the Austrian equivalent was announced for summer 2017. There are speculations about the content and the approach. The authorities in charge have so far been very skillful in preventing the leakage of details.

Depending on the topic, some member states are playing a pioneering role and filling the opening clauses of the GDPR with life, but this will certainly complicate the striven full harmonization in several areas: In the future, in addition to Germany, there will also be specific regulations for data processing activities in the area of employee's rights in Belgium, Greece, Hungary, Latvia, Slovakia and Great Britain. Especially for internationally networked companies this means that there is a great need to adapt the implementation of central, company-wide data processing activity, eg in HR-management, bonus and participation programs or whistleblowing hotlines. Even after the enforcement of the new regimes, it will be necessary to take a broader view and to coordinate further details.

Uncertainty and scarce interpretation aids

The announced and urgently needed interpretation aids regarding a lot of interesting questions on EU-level are still missing, eg on the extent of predominant interests in relation to the admissibility of data processing activities without consent or about data portability. However, some member states are more active in demarcated areas: In France, for example, there is already an official model for the new procedure directory, as well as guidelines for the central PIA - as in Belgium, Germany and Slovakia. Beyond that, Belgium has developed a draft of the Black and White lists, listing the data applications where the PIA has to be performed in any case and areas where this can be omitted. This is of utmost importance: Especially for companies, the question of what, to what extent and in what form must be documented in order to assess the need for a PIA, is the core of the preparatory actions.

Conclusion: need for action now

Even though the legislator still shows restraints, it is clear, due to the amount of new responsibilities, that another delay in dealing with unresolved questions of detail is the wrong approach. The cornerstones should rather be internalized and implemented proactively right now within the company to actually be fit for the GDPR next year