In March this year, the Article 29 Working Party of EU data protection authorities wrote to the governments of all the member states, reminding them that they need to provide enough resources for regulators to be able to handle the General Data Protection Regulation.
"The WP29 calls upon governments of the EU member states and, where applicable, to regional governments within these states to provide sufficient financial and human resources for national supervisory authorities to conduct their duties not only once the new legal frameworks apply, but also essentially beforehand, during the critical transitional period," the watchdogs declared at the time.
So, half a year later and with not much more than half a year to go before the GDPR comes into effect in May 2018, are all the regulators happy with the resources they've got coming? Far from it.
Earlier this month, DPAs in both the U.K. and the Netherlands went public with their pleas for more funding and staff. And, as The Privacy Advisor has discovered, they're not the only ones looking nervously at the GDPR's ticking clock.
Indeed, regulators in Bulgaria, Poland and Portugal have all expressed serious fears over their resourcing. Those in France, Finland, Sweden and the Czech Republic have also called for funding increases and are waiting on their respective national legislatures to confirm that they'll be getting what they need.
"The Portuguese DPA has been facing a huge problem for some years concerning the lack of human resources, which has a great impact in its daily activity and capacity to provide adequate and timely response to data subjects and to data controllers," said Clara Guerra, a senior consultant in the international service of the Portuguese DPA, the CNPD.
"For the upcoming GDPR and all due adjustments that have to be made, including a very demanding, expert and time-consuming work at [European Data Protection Board] level, the DPA has not received yet any indication that the situation is about to change, in terms of financial resources (the DPA will no longer get fees from notifications) and staff increase."
Plamen Angelov, the legal affairs director at the Bulgarian Commission for Personal Data Protection, told The Privacy Advisor that the DPA has had no increase in its 87-strong head count in the last two years.
"However, as a result of the adoption of the GDPR, there are a number of urgent priorities that require significant financial and human resources, such as trainings of data controllers and processors, especially [data protection officers], as well as information and awareness campaigns for citizens," Angelov said. "In this context, according to our estimates, the implementation of the new legal framework will require staff and budget increase of around 25 to 30 percent of the existing employees and funds."
The situation at the Polish DPA seems even more concerning. "To be frank, this year's budget that was appointed to us is sufficient to fulfill our obligation but under the current Data Protection Act. We are pretty sure that within this budget it will not be feasible to fulfill all obligations according to the GDPR," said Paweł Makowski, deputy director for international cooperation at the office of the Inspector General for the Protection of Personal Data.
Makowski said the office will have a lot more work under the GDPR, such as imposing administrative fines. It currently only needs to take notifications of data breaches from the telecoms sector, but that too will change.
The Polish DPA asked for a doubling of its budget and another 100 employees (it already has around 140) in late July, and the government has until the end of the year to respond. However, this week, the country's digital affairs ministry issued a new draft data protection law that would establish an entirely new data protection authority, potentially with less independence from the government, and with funding equivalent to the amount requested by the existing watchdog.
"We are a little bit afraid that the ministry of digital affairs plans to cut the term of the inspector general and then establish a completely new authority," Makowski said. "Consultations started yesterday. … We will see."
France's CNIL has asked its government for more resources by March and is awaiting a response in the country's budget.
"We do not know yet if we will be provided with more financial means," said Marine de Baillenx, a communications officer at the regulator. "On the one hand, we face growth in our activity — double-digit growth — meaning that we have more complaints, and we have more processors coming to us and asking for advice. For all these activities we have double-digit growth, but on the other hand, we don't have double-digit growth for resources."
Elisabeth Jilderyd, a legal adviser at the Swedish Data Protection Authority, said the DPA had already received a 40 percent increase in its 2017 budget, compared with the previous year, "further to the entry into force of the GDPR." This has allowed it to hire more staff. However, it's anticipating the need for more.
"We have also stated the need for increased resources due to the GDPR, and the implementation of the Directive for law enforcement authorities, for the coming two years and this will be handled in the next state budget procedure," Jilderyd said.
In the Czech Republic, government ministries are currently discussing a GDPR-related amendment to the country's Data Protection Act. "Consequently, it is too early to talk about sufficiency or insufficiency of resources available for our DPA in the light of GDPR implementation in 2018," said Vojtěch Marcín, a spokesperson for the Office for Personal Data Protection.
And as for Finland, Elina Autio, a communications planner at the Office of the Data Ombudsman, said the DPA would need around 10 to 15 percent more resources next year than this year. It has asked for a budget increase, but this has not been confirmed yet.
Not everyone is brandishing their begging bowl, though — the DPAs of both Estonia and Hungary said they had what they needed, for now at least.
"The Hungarian DPA will be appropriately supplied with extra resources to be able to cope with the new challenges," said Julia Sziklay, head of the international affairs department at the National Authority for Data Protection and Freedom of Information.
And Viljar Peep, the director-general of the Estonian Data Protection Directorate, said his organization had "so far … not been complaining."
Peep said the Estonian DPA has a staff of 18, but it outsources all its supporting services and can also use the "external IT expertise of some IT agencies." He also noted that the authority will use a web-based channel for data-breach notifications and has established training programs for data protection officers in cooperation with Estonian universities.
"Nobody knows exactly what workload we will have under the GDPR," Peep said. "We can temporarily reduce our proactive work and will have knowledge-based staff and budget calculation after the GDPR introduction."
If you want to comment on this post, you need to login.