As it was announced all around the world, GDPR came into force on the 25th of May, 2018 and triggered various changes for companies worldwide. 9 months following its enforcement, first reports were issued on what was achieved and how not only organizations, but different countries as well, have coped up with these challenges. Here is a short review of the European Data Protection Board (EDPB) report regarding the first 9 months of GDPR enforcement. 

Cross-border cooperation

Under the new regulation, a joint cooperation of Supervisory Authorities and consistent mechanisms provided by the European Data Protection Board is of utmost importance, in order to achieve a harmonious, consistent connection.

GDPR introduced a new mechanism called One-Stop-Shop, meaning that organizations in charge of cross-border personal data processing activities will only have to answer to one supervisory authority in the future – the Lead Supervisory Authority.

Ever since the introduction of the GDPR until the end of the 9-month period, the total amount of cross-border procedures that have been initiated for the appointment of the Lead SA was 642, out of which 306 were closed, according to the report published by the European Data Protection Board.

Moreover, the total number of cases reported by SAs from 31 European Economic Area countries was 206326, leading EDPB to conclude that the cooperation and consistency mechanisms are on a satisfying level.  

European Data Protection Board (EDPB)

The introduction of new regulations elevated EDPB to a whole new level, since it became the body in charge of the application of the General Data Protection Regulation. EDPB acts as a dispute resolution body and adopts binding decisions when a dispute takes place within the One-Stop-Shop mechanism, in case of a disagreement in the appointment of the Lead SA, or if a SA does not request or follow a consistency evaluation of the EDPB.  

The report stated that, so far, not a single cross-border case has escalated to the EDPB level.

Imposed fines

Following the introduction of GDPR, companies collecting and obtaining personal data started taking their obligations more seriously, in order to avoid large fines stipulated by this regulation. EDPB reports that the collective fines already issued by SAs from 11 countries total a jaw-dropping amount of 55,955,871 EUR. However, the majority of this amount is actually a fine of 50 million EUR Google had to pay due to a dispute with a French data protection watchdog.

Nevertheless, EDPB concluded that the GDPR regime is functioning well so far. In the initial period, companies were given some time to adjust to the new regulation and practice new mechanisms such as international cooperation. It is safe to say that the adapting period was successful, considering the fact that there were no cases that escalated to the EDPB level. The two-year preparation phase conducted by SAs must have largely contributed to the successful, smooth management of an increasing number of cases.

You can read the EDPB report in its entirety here.