Greetings from Brussels!

Saturday, 25 May is upon us and will mark the one-year anniversary of the GDPR coming into force. What a bustle of a year with the broadest spectrum of privacy stakeholders running against time to prepare, implement and comply with its provisions! As one might have expected, this week has seen a flurry of articles, anniversary reflections, and a trove of numerical offerings published online. Lest we forget what the regulation’s introduction has entailed for us thus far.

To mark the occasion, the European Commission released a joint statement by Vice President for the Digital Single Market Andrus Ansip and Commissioner for Justice, Consumers and Gender Equality Věra Jourová speaking to the new awareness and citizen empowerment to gain back control over personal data. They remarked that regulatory compliance is a dynamic process that does not happen overnight. In the months ahead, the commission will continue to look to facilitate and ensure appropriate implementation of the new rules with regulators and concerned actors alike. The commission also released Eurobarometer data on GDPR awareness concluding that 67% of EU citizens having heard of the GDPR: Call-out for Sweden; they are the "best in class," with 90% of their citizens having heard of the GDPR, and 63% actually knowing what the regulation serves.

The EDPB has also been taking stock of the GDPR regime and having surveyed the Supervisory Authorities of the European Economic Area released an analysis of the board’s achievements. One particular statistic stood out for me: There were 446 cross-border cases registered with the board, of which 205 have led to "one-stop shop" procedures. Speaking to the year that has come to pass, Chairwoman Andrea Jelinek stated that compliance can only be achieved through an effective combination of guidance, stakeholder engagement, and, where necessary, enforcement by the national DPAs. Earlier this year, the EDPB adopted its work program for 2019 and 2020, which will continue to mirror these priorities, and Jelinek remains confident that an increasingly effective regulatory environment will continue to pay dividends.

The IAPP has not been idle either this week. According to our latest research, we estimate that about 500,000 European organizations have registered DPOs with their respective regulators within the first year of the GDPR. You can check this recent article for the detail. One thing is certain: There has been no shortage of debate around the GDPR. It has truly stimulated wholesale change in organizational governance and in privacy policy generally and will continue to do so across Europe. Moreover, the advent of the DPO function has been a catalyst for change within the working culture as data protection has increasingly become a strategic driver for businesses. This is a beginning, and while accountability is key to GDPR implementation, the establishment of a DPO is not enough, in itself, to guarantee effective privacy continuity. Organizations will need to ensure that DPOs and related support privacy functions are sufficiently trained and qualified as they become pivotal to the organizational process in the challenges faced over personal data brought about by the digital age.

An IAPP report treating the GDPR in numbers was also released this week that is based on European regulatory reviews and interviews. We have seen the commencement of GDPR enforcement; however, there is still much work to be done both at the organizational and regulatory levels. Oh, and don’t forget: The IAPP also released its new GDPR Genius — a tool that combines the regulation’s articles with relevant derogations, EDPB guidance, court precedent and other tools and resources. Be sure to check it out!