The European Commission has released a new website with extensive guidance on GDPR implementation for just about every stakeholder: DPAs and member states, businesses, and data subjects. Found with the short url europa.eu/dataprotection, there are infographics, explainer documents, a guide to GDPR enforcement, and general FAQ-style information that is part of a larger effort by the Commission, particularly Vera Jourová, who announced the new materials with a press conference today, to educate the entire EU about the looming GDPR, now that we're nearly within 100 days until it comes into force.
In total, according to a press release, the Commission has earmarked 1.7 million euros to help fund data protection authorities and train data protection professionals, as well as another 2 million euros for member state-level information campaigns, particularly targeted at small businesses.
Specifically, said Jourová's head of cabinet, Renate Nikolay, at this week's CPDP conference in Brussels, "There will be targeted outreach to SMEs in member states where we hear there is large-scale lack of awareness thus far."
"We have to carry everyone with us," Nikolay continued. "It's not that homogenous in the EU yet. In some member states, the awareness for data protection is much more developed than in other member states." For example, newer additions to the EU don't have the 20 years of experience that some older member states have. So Commission VP Andrus Ansip will travel to Croatia on a GDPR-awareness campaign. Jourová will travel to the Czech Republic. Bulgaria will get a visit.
Will businesses and data subjects have similar GDPR experiences in all 28 member states? "There will be a difficulty in making that happen," Nikolay allowed, "but there’s a chance to avoid that." She also said the Commission is already planning a one-year-anniversary get together with subject matter experts, politicians, DPAs and other stakeholders to evaluate what has worked thus far and what needs addressing.
And what, of note, is in the guidance? There is quite a lot of material, much of it well known to privacy professionals, but there are some nuggets of new information.
In its communication to Parliament and the Council, for example, the Commission notes that it has convened an "Expert Group" to assist member states in their implementation of the GDPR, and that the group has met 13 times already. The activity minutes are an interesting window into the interplay between the Commission and member state representatives. Later in the document, the Commission threatens member states with the "infringement procedure," should they not get their GDPR implementation acts together, which might also include providing more resources to national data protection authorities. There are a number of points where the Commission implies many DPAs are under-funded for the GDPR task ahead of them.
We also learn the Commission is pursuing updated language in Convention 108 that will reflect the new GDPR language, in an effort to harmonize data protection principles around the globe. There's even a gant chart of sorts outlining the next steps the Commission, member states, and businesses should be taking as the GDPR comes into force.
In total, the guidance makes clear the GDPR is to be taken seriously, but also seems to acknowledge that there is much work left to be done before May 25. It seems to echo the message that has been transmitted by many speakers on CPDP stages so far this week: The GDPR and its implementation will be a work in progress for some time to come. One speaker suggested it could take 10 years before the GDPR might be considered a mature piece of legislation that is well understood.