Evaluation of the GDPR: EFDPO suggests a cutback in bureaucracy to support small and medium-sized enterprises

Jun 24, 2020

Position paper gives recommendations from practicioner’s point of view

On the occasion of the first evaluation of the General Data Protection Regulation (GDPR) by the EU Commission, the European Federation of Data Protection Officers (EFDPO) calls for a relief for small and medium-sized enterprises. In a position paper, the umbrella association suggest a cutback in bureaucracy by involving the Data Protection Officer (DPO) more intensely. The bureaucracy created by the GDPR does not result from the designation of the DPO, but from the comprehensive organizational and documentation obligations of the GDPR, which exist independently of the DPO and are subject to a fine. The involvement of the DPO therefore leads to a relief for small and medium-sized businesses.

“Even the most vocal critics at the beginning of the GDPR have now come to realize that the regulation was the right and future-oriented step for data protection in the EU,” says Thomas Spaeing, President of the EFDPO. “Despite all the advantages, however, we also see potential for optimization in some points and would welcome a discussion about this.”

In order to provide true support for small and medium-sized enterprises (SMEs), the EFDPO supports, in its position paper, an obligation for controllers/processors with a DPO to report all incidents or possible incidents of a personal data breach directly to the DPO. In a second step, only those data breaches that pose a high risk to the data subjects will be directly forwarded to the supervisory authorities. The DPO also keeps a register of all incidents and monitors the corrective measures. 

As a further measure, the EFDPO recommends that DPOs should play a more essential role in drafting and observing a Data Protection Impact Assessment and the Risk Analysis and be responsible for the records of processing activities.

In addition to disentanglement and harmonization within the GDPR, particularly regarding documentation obligations, the position paper advocates mitigated sanctions if companies have actively involved a DPO in the fulfillment of these obligations.

Lastly, the EFDPO sees room for improvement in the information obligation in order to achieve better general comprehensibility and transparency for the data subjects. Further information is available in the EFDPO position paper, which can be downloaded here.

Recent news

Jun 24: EFDPO OPEN TALKS – FREE ONLINE FORMAT

Jun 24: EFDPO OPEN TALKS – FREE ONLINE FORMAT

15:00 - 18:00 CET EFDPO Open Talks One of EFDPO's goals is to create a European network of national associations for the exchange of information, experience and methods, and to improve the quality of training and professional practice. With this in mind, EFDPO in...

read more
Covid self-tests and data processing

Covid self-tests and data processing

After the Greek DPA received a series of questions regarding performing self-tests in the context of managing the pandemic coronavirus crisis and reopening country's activities, submitted by parents of pupils, as exercising parental responsibility of their minor...

read more