Blog: The European Data Protection Regulation is going to apply to processing of personal data across Europe as of 25 May 2018.
All companies, authorities, organizations etc. are trying very hard these days to bring themselves in a position, where they with enough power are able to demonstrate compliance.
However, the GDPR opens (deliberately) for assessments, policies, procedures, risk analyses that does not fit all. That is the heart of the regulation. We are leaving a regime of notification and approvals and relying on accountability, self-regulation, and control. This can only be seen as a benefit as it will provide for the relevant flexible data protection compliance across companies, sectors, authorities etc. Low risk and legal processing of personal data in one company may be risky and illegal in another company. The task is not easy and demands ressources and leadership, and everybody is struggling to eat the elephant.
The harmonized regulation is nevertheless aimed at providing one legal foundation for processing data protection across Europe. Taking down the national barriers for the free flow of data within the Union – to the benefit of society, competition, consumers and development of new innovative solutions, business etc. In the long run, it should make it less complicated processing personal data in Europe, as the legal foundation should be the same.
However, the flexibility has shown to have a dark side. The elephant is just getting bigger. Not only in Denmark, but also in other countries, member states are doing their best to push the bigger elephant through a keyhole. The trick is to reject that it is in fact a keyhole. Politicians and regulators are beginning to refer to the regulation as a directive, not a regulation, stretching recital 10 from a keyhole to an open field.
So, I call out to all companies and organizations in Europe; be alert! Be more than alert. You will be at risk of breaching the GDPR simply by complying with your national legislation. We are operating on very fragile grounds as no-one can be certain that the interpretation of the GDPR by a member state may not cause fines if brought before the ECJ. If so, there may off course be a possibility to make the members state themselves responsible for the mis-interpretation and unlawful national legislation. However, we all know that bringing parliaments and regulators before trials will be costly and take a lot of time.
The fact of the situation is, that even if one of the key aim to make the already complicated and difficult to understand-area of data protection in to a lean Union based regulation, we are moving in the opposite direction. Where it legally should not matter if processing of personal data is performed in Denmark or in Spain, we are now facing a regime of uncertainty. Uncertainty around the interpretation of the GDPR, uncertainty regarding member state regulation and uncertainty regarding jurisdiction of national legislation. The complication and complexity is just increasing.