Six months of the GDPR: three questions for Wojciech Wiewiórowski

Wojciech Wiewiórowski: Though it is hard to assess the total impact of the data protection reform just six months after the law became applicable, the overall result is positive. After the initial uncertainty – or panic – most controllers have found that they already have many of the tools in place to comply, since GDPR requirements do not differ too much from what they had to comply with before 25 May 2018. At the same time, the introduction of the GDPR was a signal to re-assess privacy settings, raise the awareness of clients and to check the cybersecurity readiness of the organisation. Most controllers and processors dealing with our personal data appear to be ready to assure their customers that personal data is secure in their information systems.

From an institutional point of view, data protection authorities on national and European level have met with our expectations as well – the requirements set for them in the GDPR were also significant.

Portrait

Wojciech Wiewiórowski
The EDPS – the European Data Protection Supervisor – is the European Union’s independent data protection authority. Before his appointment as Assistant Supervisor, Wojciech Wiewiórowski served as Inspector General for the Protection of Personal Data at the Polish Data Protection Authority, a position which he had held since 2010. He was also Vice Chair of the Working Party Article 29 Group.

Can you give a short impression of which problems appeared in different countries?

Wojciech Wiewiórowski: There are some typical or ‘standard’ issues we have seen arising across Europe, such as transnational administrative procedures, documentation of data processing, interaction with banking law, insurance law or health data standards. There are also problems which are more apparent in some countries than others since EU countries differ one from another. What is considered a huge enterprise in Estonia may be considered a medium-sized company in Germany. Luxembourg may seem to be a small country, but there are big companies established there. Data Protection Officers are well established in some EU countries (e.g. Spain, France, the UK, Germany, the Netherlands, Poland) while they are quite new in others (such as in the Czech Republic). There are countries with extensive experience in applying financial sanctions in data protection law (Spain, the UK) and countries which have never used this tool (Finland, Poland). What is apparent is that there is difficulty in the interaction between classic data protection law and national legislative solutions in banking law, insurance, professional confidentiality and particularly national standards in handling medical data. The latter differs from country to country and it is really hard to set a Europe-wide interpretation in this field.

What is most surprising for you concerning the first six months of the GDPR?

Wojciech Wiewiórowski: I may joke that the biggest surprise is that the world is still turning after 25 May. Some ‘experts’ threatened that it would collapse with the EU’s creation of a new ‘monster’. More seriously, I would personally highlight three aspects of the world since 25 May:

1. There is enormously strong support for GDPR solutions in comparison to some of the new ideas on the so-called draft ePrivacy Regulation. The majority of market players agree that the GDPR sets the standard to be defended and think it is reasonable.
2. Most of the questions addressed to data protection authorities after 25 May concern the problems which existed before the reform. It simply highlights that the reform has forced the controllers to comply with the law which was always obligatory anyway.
3. The GDPR appears to be the standard or reference point for all other jurisdictions in the world. Not all of them want to follow EU solutions, which is understandable, but all of them compare their legislative choices to ‘the world standard’ of the GDPR.