Two years of the GDPR: The European Commission Report

May 2020 marked two years since the GDPR came into effect. To gauge the impact of the regulation and consider whether or not it’s achieved its aims, the European Commission conducted a thorough assessment, the results of which it published in its report Two Years of the GDPR.

What are the key findings of the report?

While some areas for improvement have been identified, the GDPR, on the whole, has been a success, fulfilling many of its aims. Though it’s important to note that the Commission believes it’d be premature to draw any definite conclusions just yet and would refrain from providing proposals for a GDPR revision until more time had passed.

How has the GDPR improved data protection?

The GDPR has improved data protection in two key ways. Firstly, by consolidating data protection legislation into one cohesive set of regulations, it has made the act of complying much simpler for businesses - particularly SMEs. Secondly, the GDPR has empowered the general public by bringing data protection firmly out into the open and making people aware of their rights and the power of their data.

How is the GDPR being applied to new technologies?

The problem with older data legislation is that it was quickly being outpaced by technological developments. The intent behind the GDPR was to avoid this problem and future proof legislation by making it risk-based and technology-neutral. This was put to the test during the Covid-19 pandemic where its principle based rules proved successful by supporting the development of new tools to combat and monitor the spread of the virus.

How is the cooperation and consistency mechanism working in practice?

The cooperation tool of mutual assistance is being used very intensely by data authorities who have been very actively working together as part of the European Data Protection Board (EDPB). However, the consistency mechanism has met with mixed results as neither a dispute resolution nor urgency procedure has yet been triggered.

More generally, the consensus is that a more efficient and cohesive approach is needed when using the cooperation tools provided by the GDPR. These problems have been compounded by differences in national administrative procedures, varying interpretations of concepts relating to the mechanism, and varying approaches regarding the start of the procedure and the timing and communication of information.

How does the GDPR contribute to global data protection standards?

The GDPR has emerged as a reference point and acted as a catalyst for countries and regions across the world seeking to modernise their data protection and privacy laws. Chile, South Korea, Brazil, Japan, Kenya, India, Tunisia, Indonesia, Taiwan, and the US state of California, among others, have all used the GDPR as a template for revisions to their own privacy legislation.

How has the GDPR facilitated international data flows?

The continuity of protection, outside of the EU, is absolutely essential to the GDPR. It offers a modernised toolbox to facilitate the transfer of data from the EU to a third country or international organisation. The toolbox includes actively engaging with key partners with a view to reaching mutually beneficial results; successes so far include the creation of the world’s largest area of free and safe data flows between the EU and Japan. Work is still ongoing with regards to other transfer mechanisms to harness the full potential of GDPR rules on international transfers.

How is the GDPR being enforced? What enforcement measures have been taken so far?

The GDPR has served to both harmonise and strengthen the enforcement powers of national data protection authorities. So far, authorities have been making use of the GDPR’s broad range of corrective powers including administrative fines, warnings and reprimands, and compliance orders.

What are the main improvements that can be made for the future?

The key objectives going forward are to better support the harmonised and consistent implementation and enforcement of the GDPR within the EU and to focus efforts on promoting the convergence of data protection rules internationally.

What are the next steps following this evaluation report?

The next evaluation is scheduled for 2024. Until this time, the Commission will continue to monitor the implementation of the improvements suggested in this report and foster compliance between member states.

For a more in-depth look at this Q&A; visit the European Commission website. 

GDPR Training

To date, over 400,000 people have taken our GDPR Training Courses. Our GDPR Essentials Training will help users understand what personal data is, what rights we all have over our data, the principles of data protection and the importance of data confidentiality.