With a little over 100 days until GDPR comes into force, the European Commission is worried that national governments have been too slow to enact the new rules into law. The statement came as the Commission also launched guidance to help individuals and organisations understand the new rules and how they are impacted, along with an online tool to help smaller companies with compliance.
Noting that only two countries have passed the legislation required to turn GDPR into national law, the Commission called on member states to speed up the process, and to make sure their laws match the new rules. The UK is not one of the two, our own Data Protection Bill only had its first reading in Parliament last week. “We call on EU governments, authorities and businesses to use the remaining time efficiently and fulfil their roles in the preparations for the big day,” said Věra Jourová, Commissioner for Justice, Consumers and Gender Equality.
Looking ahead to May, the Commission also called on member states to make sure that their national data authorities have the resources necessary to enforce the tough new rules. A statement urged member states to “ensure they equip their national authorities with the necessary financial and human resources to guarantee their independence and efficiency”. In this area the UK does seem to be on track, The Information Commissioner’s Office (ICO) website hosts a library of guides to GDPR as well as checklists for companies to prepare for the change. It seems to that the ICO is warming itself up for tougher enforcement too, recent weeks have seen a flurry of enforcement action from the data watchdog, including a record £400,000 fine for Carphone Warehouse.
As well as chivvying along national governments, the Commission launched new guides for individuals and organisations aimed at spreading awareness of GDPR, especially among SMEs, noting that “knowledge of the new rules is not evenly spread”. Standardised across the EU and applying to any company worldwide that holds data on EU citizens, GDPR replaces the previous directive, which is now two decades old. As well as updating rules to cover technologies such as social media which did not exist when the existing rules were written, GDPR toughens up penalties for data breaches and requires firms to adopt security by design.
It’s not just governments that seem tardy in adapting to the changes. Despite the efforts of an army of consultants helping firms to prepare, many companies, especially smaller ones, seem unaware of the looming deadline. The London Chamber of Commerce and Industry released findings this week that a quarter of the capital’s companies did not know about the changes. “Businesses that are already vigilant about their data protection responsibilities, are unlikely to be unduly burdened by the new legislation,” said LCCI’s Chief Executive, Colin Stanbridge, “however we would urge businesses to take this opportunity to review their processes to see if they need to make any changes to be compliant.” With maximum fines for non-compliance at 4% of global turnover or €20 Million, those who don’t heed his call have a lot to lose.