Dear Data Protection Community,
With 25th of May 2018 we are reaching a turning point in data protection. The EU sets a worldwide standard which will generate a broad effect on the global economy. This standard applies to all companies that provide services to EU citizen. The GDPR will produce an immense implementation power to international and EU companies to be compliant with its measures.
20 mio € or 4 % of the worldwide turnover will be the amount of fines imposed on infringing companies. The burden of proof to be compliant to all 99 Articles of the GDPR lies with the controller – the company or legal body who is responsible for the data processing. Companies have to provide a data inventory (“records of processing activities“) which shows all processees relating to personal data easily to the DPA (Data Protection Agencies, ´data protection watchdogs´). PIAs (Processing Impect Assessment) which contains a high risk to the consumers, employees or citizen (´data subject´ in legal language) have to be approved by the DPA.
Consumers, customers or employees may impose their right to access their data or their right of their data being transferred to a third party. They may delegate these rights and the right to file complaints against the companies to NGOs of Data protection activists. Eg Max Schrems with his organisation Noyb will take his opportunity to strategically sue big players like Facebook and Google. In the near future EU lawmaker will probably provide them with the opportunity to file class actions, which may impose a cruical economic threat to the multinational companies.
Are these measures too far reaching or just a logical consequence of years of the disregard to EU data protection law?
Certainly, you have your own opinion but that does not resolve the pressure which currently lies on the DPOs, who are just being appointed all over the EU, and on the implementation projects, which are trying to implement the measures of the GDPR until 25th of May as best as they can. To provide information to these people on how to implement the GDPR in a feasable way, is the first and most important objective of the DPOblog.
The EU commission stated that the implementation of Directive 95/46, which is currently the base line of data protection law in the EU, differs extremly between the Member States. That statement is underlined by my experience working for several international companies. As consequence the second aim of the DPOblog is to make the differences between national traditions of data protection transparent, to discuss the differences and to reach a common European understanding of the quality and the extent of the Right of Data Protection.
I will start by providing content to the DPOblog.
- In „Basics“, you may find articles of fundamental issues which provide you with helpful information to get to know the GDPR – like „What is personal data?“.
- In „Articles“, you may find more elobarte contributions focussing on one special issue of interest or new decissions of the ECJ or new Working Paper of the European Data Protection Board.
- In „Editorial“, you may find opions about general developments focussing on the big picture in Data Protection.
But the goal of the DPOblog is to start a debate between data protection experts of all Member States of the EU – including data protection experts of countries that beeing affected by the GDPR (such as the US IT-business). In addition the DPOblog seeks to be open to all stakeholder in the data protection community: DPOs of private business or public institutions, lawyers, data protection activists, members of DPAs (Data Protection Agencies) or legal or techincal scientist or interested citizen.
Please feel invited to take part in this discussion, to send me your thoughts or issues you whish to be discussed.