Evaluation of the GDPR: EFDPO suggests a cutback in bureaucracy to support small and medium-sized enterprises

Jun 24, 2020

Position paper gives recommendations from practicioner’s point of view

On the occasion of the first evaluation of the General Data Protection Regulation (GDPR) by the EU Commission, the European Federation of Data Protection Officers (EFDPO) calls for a relief for small and medium-sized enterprises. In a position paper, the umbrella association suggest a cutback in bureaucracy by involving the Data Protection Officer (DPO) more intensely. The bureaucracy created by the GDPR does not result from the designation of the DPO, but from the comprehensive organizational and documentation obligations of the GDPR, which exist independently of the DPO and are subject to a fine. The involvement of the DPO therefore leads to a relief for small and medium-sized businesses.

“Even the most vocal critics at the beginning of the GDPR have now come to realize that the regulation was the right and future-oriented step for data protection in the EU,” says Thomas Spaeing, President of the EFDPO. “Despite all the advantages, however, we also see potential for optimization in some points and would welcome a discussion about this.”

In order to provide true support for small and medium-sized enterprises (SMEs), the EFDPO supports, in its position paper, an obligation for controllers/processors with a DPO to report all incidents or possible incidents of a personal data breach directly to the DPO. In a second step, only those data breaches that pose a high risk to the data subjects will be directly forwarded to the supervisory authorities. The DPO also keeps a register of all incidents and monitors the corrective measures. 

As a further measure, the EFDPO recommends that DPOs should play a more essential role in drafting and observing a Data Protection Impact Assessment and the Risk Analysis and be responsible for the records of processing activities.

In addition to disentanglement and harmonization within the GDPR, particularly regarding documentation obligations, the position paper advocates mitigated sanctions if companies have actively involved a DPO in the fulfillment of these obligations.

Lastly, the EFDPO sees room for improvement in the information obligation in order to achieve better general comprehensibility and transparency for the data subjects. Further information is available in the EFDPO position paper, which can be downloaded here.

Recent news

Starting up: The DAME 2022 Data Protection Media Award

Starting up: The DAME 2022 Data Protection Media Award

The competition initiated by the Professional Association of Data Protection Officers in Germany (BvD) is entering its sixth round. Media professionals and creative minds can submit their contributions on the topic of data privacy from now until December 5.

read more
European Court of Justice (ECJ) ruling strengthens the role of the internal data protection officer and helps companies

European Court of Justice (ECJ) ruling strengthens the role of the internal data protection officer and helps companies

The Federal Data Protection Act provides for a special position of the internal data protection officer. Due to the sensitive nature of their work, the respective employee can only be dismissed for good cause. This special national regulation has now been confirmed by the European Court of Justice (ECJ), which thus strengthens the role of data protection officers.

read more
Pierre-Yves Lastic appointed Secretary General of EFDPO

Pierre-Yves Lastic appointed Secretary General of EFDPO

On July 8, 2022, the Board of Directors of the European Federation of Data Protection Officers (EFDPO) appointed Dr. Pierre-Yves Lastic, Vice-President of the French Union of Data Protection Officers (UDPO), as Secretary General of EFDPO. As Secretary General Dr....

read more