EU admits GDPR needs to be ‘clearer and more consistent’

Thales is one of the firms calling out GDPR for ‘lack of clarity on compliance’, two years since its launch

Posted 25 June 2020 by Christine Horton

Two years since its introduction, there are calls for enforcement of GDPR (Global Data Protection Regulation) to be clearer and more consistent across the EU.

The European Commission yesterday published a report on the progress of the regulation to date. where it acknowledges the difficulties of implementing the data protection regulation.

Chris Harris, EMEA technical director at security specialist Thales believes there have been murmurs about the effectiveness of GDPR since its inception. This, he says, is due to lack of clarity on compliance. It is also down to fears around the resources and power each data protection authority (DPA) has to track and investigate the number of breaches that occur in their country.

“This is something that should have been sorted from the start, and not something that we are still talking about two years later – four if you include the transition period!” he said.

To-do list

EU lawmakers have admitted they have a “very serious to-do list”, to enforce the regulation consistently across the region.

Speaking at a Commission briefing, Věra Jourová, Commission VP for values and transparency, said: “The European Data Protection Board and the data protection authorities have to step up their work to create a truly common European culture – providing more coherent and more practical guidance, and work on vigorous but uniform enforcement.”

Harris said that while there have been some justifiably big fines dished out, a lack of clarity around new technologies like blockchain and AI is hitting law-abiding companies that are just trying to be compliant.

“We need to ensure GDPR operates as the protective bubble around personal information that we all want, without restricting the innovation and development that the world needs from these disruptive technologies,” he said.

Clearer instructions

Harris also noted that smaller companies may have found compliance harder. This is not only due to the complexity and potentially onerous nature of the requirements, but because many vendors with GDPR-focused solutions were scaling their offerings for the larger organisations.

Chris Harris, EMEA technical director at Thales

“With a continued increase in the migration to the cloud this has perhaps now become simpler with the advent of solutions such as cloud-agnostic key management solutions and subscription-based data-protection-on-demand services.

“In order to be truly effective, the EU needs to give clearer instructions on how to be compliant that are consistent across each country, while giving local DPAs more resources to pursue heavy penalties against companies that are intentionally putting their customers’ data at risk,” he said.

The regulation has led to other data protection regulations being introduced worldwide, most notably the California Consumer Privacy Act in the United States.