Two year after the introduction of GDPR, the EU says it has been an 'overall success' in meeting many of its expectations, but a number of areas for future improvement have been identified.
It says it is closely monitoring the application of the GDPR to new technologies such as AI, Internet of Things and blockchain.
In an international context, the Commission is stepping up its dialogue with regional organisations and networks that are increasingly playing a central role in shaping common data protection standards, as well as promoting the exchange of best practices and fostering cooperation between enforcers, it says.
The main advantage is that businesses, including SMEs, now have just one set of rules to which to adhere. The GDPR also creates a level playing field with companies not established in the EU but operating here.
The future proof and risk-based approach of the GDPR will also be applied in the future EU framework for Artificial Intelligence and in the implementation of the European Data Strategy.
Chris Harris, EMEA Technical Director at technology specialist Thales says: “Since its inception there has been murmurs about its effectiveness due to lack of clarity on compliance and fears around the resources and power each data protection authority (DPA) has to track and investigate the number of breaches that occur in their country. This is something that should have been sorted from the start, and not something that we are still talking about two years later – four if you include the transition period!
“Whilst we’ve seen some justifiably big fines dished out, unfortunately, as organisations continue to digitally transform, the lack of clarity around new technologies like blockchain and AI is actually mostly hitting law-abiding companies that are just trying to be compliant. We need to ensure GDPR operates as the protective bubble around personal information that we all want, without restricting the innovation and development that the world needs from these disruptive technologies.
“Smaller companies may have found compliance harder, not only due to the complexity and potentially onerous nature of the requirements, but because many vendors with GDPR-focussed solutions were understandably scaling their offerings for the larger organisations. With a continued increase in the migration to the cloud this has perhaps now become simpler with the advent of solutions such as cloud-agnostic key management solutions and subscription-based data-protection-on-demand services.
“In order to be truly effective, the EU needs to give clearer instructions on how to be compliant that are consistent across each country, while giving local DPAs more resources to pursue heavy penalties against companies that are intentionally putting their customers’ data at risk.”