In May of this year, what is now the biggest landmark in regulatory legislation in a generation celebrated its sixth birthday.
The international reverberation caused by the passing of the General Data Protection Regulation (GDPR) over these past six years cannot be exaggerated. It has reshaped the landscape around how data is governed not just in the EU itself, but overseas too. GDPR became a de facto standard in how many international organizations manage data, and perhaps more importantly, sparked GDPR-like laws in many other countries, such as India, China, Southeast Asia , and, increasingly in the U.S. at state level.
However, as the years go by, the GDPR itself is changing, with new amendments being tabled to face new challenges and learn from what is now a considerable body of legal experience in dealing with data-protection breaches among the judiciary.
The amendments now being considered focus on the procedural aspect of enforcing the GDPR. Chief among lawmakers’ concerns is a perceived lack of fast-paced cooperation in cross-border cases. Being a supranational organization, EU legislation around GDPR mandates that each country have an official “Data Protection Authority” (DPA), for example, France’s CNIL (National Commission on Informatics and Liberty) that handles enforcement. In some cases, requests for information between these different supervisory authorities can take a lot of time. Ultimately, therefore, the intent is to make complaints faster to deal with and more effectively punish breaches.
It’s important to note the amendments are still being discussed.
What exactly is being amended?
In April, the European Parliament voted on a range of amendments to the GDPR that were first proposed by the Commission in 2023. The key amendments are essentially built around streamlining the enforcement process, and include:
- One-Stop-Shop mechanism enhancement: The existing One-Stop-Shop (OSS) mechanism, which allows companies to deal with a single supervisory authority for cross-border data processing activities, will be strengthened. This includes clearer guidelines for determining the lead supervisory authority and faster information sharing between authorities.
- Faster decision-making: Deadlines for decisions on cross-border cases will be reduced to expedite the process.
- Increased cooperation: DPAs will be required to cooperate more closely, sharing information and resources efficiently.
- Clearer rules for data transfers: The rules governing data transfers to third countries will be clarified to provide more legal certainty for businesses.
- Strengthened enforcement powers: DPAs will be granted stronger enforcement powers, including higher fines for non-compliance.
What does this mean for your organization?
These changes aim to create a more efficient and effective GDPR enforcement landscape. While the core principles laid down in the GDPR aren’t changing, you can expect:
- Increased scrutiny: The streamlined process may lead to faster investigations and potential penalties for non-compliance.
- Enhanced cooperation: Better cooperation between DPAs can result in more consistent enforcement across the EU.
- Adapting to new rules: Organizations will need to stay updated on the evolving regulatory environment and adjust their data protection practices accordingly.
- Potential for increased costs: Implementing new compliance measures and adapting to changes can incur additional expenses.
Conclusion
The GDPR is evolving to meet the challenges of the digital age. While these amendments focus on procedural improvements, they have significant implications for businesses operating within the EU and beyond. By understanding the changes, impact of data protection laws and taking proactive steps to comply, organizations can mitigate risks and build trust with customers.
Remember that the final text of the amended GDPR is still under negotiation and may change!