Who’s Enforcing GDPR?

by Sarah Harvey / July 19th, 2018

The Information Commissioner’s Office (ICO) enforces the GDPR as of May 25, 2018.

There’s no doubt that GDPR has brought its fair share of challenges into the world of data privacy. GDPR was specifically designed to impact businesses across the globe, not just European Union Member States. Its ultimate goal, though, is to reduce regulatory differences in order to make data protection laws more consistent and make businesses more transparent.

Part of the innovativeness of GDPR is, in order to work as it’s intended to, the law needs a collaboration of all participants. This includes data subjects, controllers and processors, data protection officers, supervisory authorities, the European Data Protection Board, and the European Commission. With so many players in the game and such a broad territorial reach, how do you know how they function together and who’s enforcing GDPR? Let’s start at the top.

GDPR Enforcement by the European Commission

The European Commission proposes and implements laws that align with the objectives of EU treaties, meaning that it created the rules for the protection of personal data for the EU.

If you want to look at where GDPR began, you must go back to 1995, when the Directive 95/46/EC was given to regulate the processing of personal data in a fair and lawful manner; “fair” meaning you must tell data subjects what you’re doing with their personal data and “lawful” meaning you must comply with data subjects’ rights. But then technology and the way we share and collect data changed.

The 1995 directive, like many other laws and regulations, needed updating. In 2012, the European Commission proposed data protection reform to replace Directive 95/46/EC and about three years later, in December of 2015, the European Commission agreed on a final draft of the GDPR, paving the way for adoption by the European Parliament. On May 25, 2018, GDPR officially took effect and became an enforceable law.

When the European Commission needs advice or has questions about the protection of personal data, it goes to the European Data Protection Board for answers and recommendations.

European Data Protection Board

When GDPR went into effect, a major regulatory development was the establishment of the European Data Protection Board (EDPB). The EDPB has replaced the Article 29 Working Party (WP29) as the regulatory body and legal personality of GDPR but has similar membership. In fact, the EDPB has adopted much guidance from the WP29, such as topics like data protection officers, transparency, consent, and portability.

Moving forward, the EDPB will now be the source for GDPR guidance. The EDPB will have a more comprehensive purpose than the WP29, and it will be more likely to obtain feedback from the public during the course of developing guidance.

Article 70 defines the tasks of the EDPB, which include issuing guidelines and recommendations, advising and communicating with the European Commission, and ensuring consistency of the application of GDPR.

EU Member States

It’s up to each of the EU Member States to develop their own guidance around GDPR and supervise the application of the law within their territory. Because the GDPR’s scope is spread between 28 EU Member States, it gives Member States some opportunity to make adjustments for how it applies in their country. For example, the UK’s Data Protection Act 2018 recently received the Royal Assent, which works with GDPR to form new data protection principles. This act modernizes data protection laws and the Information Commissioner’s Office recommends that the Data Protection Act 2018 and GDPR be read side-by-side.

As of May 25, 2018, each of the 28 EU Member State has designated a supervisory authority to be responsible for monitoring the application of GDPR within its territory.

Supervisory Authorities

Articles 51-59 require that each EU Member State designate an independent, public authority to be responsible for monitoring the application of GDPR and addressing non-compliance, known as a supervisory authority or data protection authority (DPA). Supervisory authorities’ main purpose is to protect personal data. Supervisory authorities, although there are 28 of them, play a central role in consistent application of GDPR.

As part of Article 31, controllers, processors, and their representatives must cooperate and support supervisory authorities in the performance of tasks. Supervisory authorities are generally tasked, within their territory, to do the following:

Monitor and enforce GDPR
Promote public awareness on data subjects’ rights and risks
Promote awareness to controllers and processors of their obligations
Handle and investigate complaints
Cooperate with other supervisory authorities
Document infringements and the corrective actions given
Investigate the application of GDPR in the form of data protection audits and reviews
Exercise corrective and advisory powers

In general, the main contact point for questions or topics on personal data protection is the supervisory authority in the EU Member State where the controller or processor is based. For example, a controller or processer based in France would report to the National Commission of Computing and Freedoms in France. However, if there is cross-border processing, the supervisory authority of the main establishment acts as a lead supervisory authority.

Because GDPR is a law and not an information security or privacy framework, we’ve heard the question of “who’s enforcing GDPR?” a lot. Data subjects, controllers and processors, supervisory authorities, the European Data Protection Board, and the European Commission must work together to implement and enforce GDPR, to make data protection law more consistent, and encourage businesses to be more transparent.

Do you know who the supervisory authority in your Member State is? Do you have a DPO? Have more questions about controllers and processors? Contact us today to find the answers you need.