Editor’s Note: Published as communication from the European Commission to the European Parliament and Council, the recent report on data protection as a pillar of citizens’ empowerment and the EU’s approach to continued digital transition two years after the application of the General Data Protection Regulation (GDPR) may be beneficial for legal, business, and information technology professionals as they consider data protection in the European Union.
Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition – Two Years of Application of the General Data Protection Regulation
Opportunities and Challenges for Organizations, in Particular, Small and Medium-sized Enterprises
The GDPR, together with the Free Flow of Non-Personal Data Regulation offers opportunities to companies by fostering competition and innovation, ensuring the free flow of data within the EU, and creating a level playing field with companies established outside the EU. The right to portability, coupled with an increasing number of individuals in search of more privacy-friendly solutions, have the potential to lower the barriers to entry for businesses and open the possibilities for growth based on trust and innovation. Some stakeholders report that the application of the GDPR is challenging especially for small and medium-sized enterprises (SMEs). According to the risk-based approach, it would not be appropriate to provide derogations based on the size of the operators, as their size is not in itself an indication of the risks the processing of personal data that it undertakes can create for individuals. Several data protection authorities have provided practical tools to facilitate the implementation of the GDPR by SMEs with low-risk processing activities. These efforts should be intensified and widespread, preferably within a common European approach in order not to create barriers to the Single Market.
Data protection authorities have developed a number of activities to help SMEs comply with the GDPR, for instance through the provision of templates for processing contracts and records for processing activities, seminars, and hotlines for consultation. A number of these initiatives benefited from EU funding. Further activities should be considered to facilitate the application of the GDPR for SMEs.
The GDPR makes a toolbox available to all types of companies and organizations to help them demonstrate compliance, such as codes of conduct, certification mechanisms, and standard contractual clause. This toolbox should be used to its full extent. SMEs stress, in particular, the importance and usefulness of codes of conduct that are tailored to their situation and which do not entail disproportionate costs. As regards certification schemes, security (including cybersecurity) and data protection by design are key elements to be considered under the GDPR and would benefit from a common and ambitious approach throughout the EU. The Commission is currently working on standard contractual clauses between controllers and processors, building on the on-going work on the modernization of the standard contractual clauses for international transfers.A Pillar of Empowerment – EU – Data Protection
- A Matter of Opinion? An EDPS View on the European Data Strategy
- Cloudy Considerations? ESMA Draft Guidelines on Outsourcing to Cloud Service Providers