The GDPR five years later: Five successes, and five failures

It has now been five years since the EU data protection regulation came into effect – and thus it is time for a summary of what works well, and what needs fixing. We have prepared a brief overview of the successes and failures of the GDPR.

What has worked?

• Greater awareness of data protection laws: controllers and processors are more aware of their obligations under the GDPR. Data subjects are more aware of their rights with regard to data processing.
• Legislation common to the entire EU: standpoints of the European Data Protection Board and CJEU judgments explain certain terms and obligations under the GDPR. It is possible that the GDPR will be applied in a uniform manner in the EU in the future.
• Greater transparency for data subjects: due to the principle of transparency, data subjects are better informed of how their data are used.
• Right of access: Under the GDPR, the right of access to data is very broad in scope, and includes the right to a copy of the data free of charge. The right of access to data helps data subjects to exercise other rights and puts them in a stronger position in their relations with controllers.
• Broad geographic scope of the GDPR: The GDPR also applies to entities that do not have organizational units in the EU, but process Europeans’ data. This means that entities in third countries comply with the GDPR and ensure that personal data are secure, at least to the same level as controllers in the EU.

What needs more work?

• Lengthy handling of cases by data protection authorities and administrative courts: anyone who submits complaints regarding unlawful processing of their data, and the entities concerned, have to wait a long time for their cases to be reviewed
• Uncertainty with respect to global transfer of data: This applies in particular to data transfer to the US, following the CJEU Schrems II judgment. This causes confusion when marketing solutions or cloud computing solutions are used in which data are transferred outside the EU.
• Little benefit from certification mechanisms and codes of practice: there is only one approved EU certification mechanism, while in Poland only one code of practice has been approved. This means that there are no tools that serve as an aid for SMEs to comply with and demonstrate compliance with GDPR requirements.
• Some controllers or processors do not understand the concept of a risk-based approach: a dynamic and flexible approach towards obligations under the GDPR is required, such as evaluating risk or conducting verifying a processor. This lack of understanding results in a low level of data protection, or no protection at all, as safeguards employed by controllers or processors become outdated.
• Prior consultations are not established as a platform for cooperation between controllers and a supervisory authority: prior consultations were intended to be a platform for bureaucracy-free cooperation between a controller and supervisory authority, designated for complex data processing procedures. Such consultations are rare in practice, and for this reason controllers are unable to obtain practical support from an authority in ensuring compliance with the GDPR.