With under 100 days to go before the General Data Protection Regulation (GDPR) becomes effective, there is still work to be done, especially in raising awareness about the significant differences for any organisation processing data, says the European Commission. The Commission has now issued a guidance to support the application of the new rules which will apply throughout the EU from 25 May, even if not everyone is ready.

For business, the risk of non-compliance is serious with the potential for substantial fines in case of a breach. FERMA President Jo Willaert said: “FERMA members are most likely to have their preparations well underway, but there is concern about SMEs and other organisations, including public bodies, with which we have relationships.”

The Commission calls on governments and national data protection authorities to speed up preparations. It highlights five areas where work remains to be done to ensure successful application:

For organisations:

  • The level of preparation of businesses, public administrations and other organisations processing data.

For Member States and Data Protection Authorities:

  • The level of understanding of stakeholders, citizens and SMEs.

  • Slow progress on implementation legislation. Most Member States are still in the process of adapting their legislation where the GDPR allows some flexibility. Only Austria and Germany have already adopted the relevant national legislation. The GDPR will be applied by default even if local legislation is not in place by 25 May.

  • Establishment of a new independent European Data Protection Board.  This umbrella organisation, with a board composed of the EU’s national supervisory authorities, will be able to issue binding decisions on disputes regarding cross-border data processing and deliver guidelines on how to interpret GDPR provisions and ensure uniform application.

  • Member States’ commitment to provide appropriate funding and staffing of national data protection authorities to guarantee their independence and efficiency.

For its part, the Commission is dedicating EUR 1.7 million to fund data protection authorities, and to train data protection professionals. A further EUR 2 million will support national authorities in reaching out to businesses, in particular SMEs. 

The Commission has created a dedicated website to help individuals and SMEs understand their rights, obligations and legal implications of GDPR, such as definition of personal data, validity of consent, obligations related to data breaches and Data Protection Officers.