LIVE FROM CPDP2018 IN BRUSSELS: the European Commission releases extensive GDPR guidance … and the crowd opines

Home / Uncategorized / LIVE FROM CPDP2018 IN BRUSSELS: the European Commission releases extensive GDPR guidance … and the crowd opines


Eric De Grasse
Chief Technology Officer

The Project Counsel Group


25 January 2018 (Brussels, Belgium) – The European Commission has released a new website  with extensive guidance on GDPR implementation for just about every stakeholder: DPAs and member states, businesses, and data subjects. Found with the short URL, there is a boat load of:

  • infographics
  • explainer documents
  • a guide to GDPR enforcement
  • a general FAQ-style information

All of it is part of a larger effort by the Commission, particularly Vera Jourová (the European Commissioner Commissioner for Justice) who announced the new materials at a press conference yesterday, to educate the entire EU about the looming GDPR, now that we’re nearly within 100 days until it comes into force.

In total, according to a press release, the Commission has earmarked 1.7 million euros to help fund data protection authorities and train data protection professionals, as well as another 2 million euros for member state-level information campaigns, particularly targeted at small businesses.

Specifically, said Jourová’s head of cabinet, Renate Nikolay, at this week’s Computers, Privacy & Data Protection (CPDP) Conference here in Brussels:


There will be targeted outreach to SMEs in member states where we hear there is large-scale lack of awareness thus far. We have to carry everyone with us. It’s not that homogenous in the EU yet. In some member states, the awareness for data protection is much more developed than in other member states.


For example, newer additions to the EU don’t have the 20 years of experience that some older member states have. So Commission VP Andrus Ansip will travel to Croatia on a GDPR-awareness campaign. Jourová will travel to the Czech Republic. Bulgaria will get a visit.

Will businesses and data subjects have similar GDPR experiences in all 28 member states? Said Nikolay:

There will be a difficulty in making that happen, but there’s a chance to avoid that. The Commission is already planning a one-year-anniversary get together with subject matter experts, politicians, DPAs and other stakeholders to evaluate what has worked thus far and what needs addressing.


And what, of note, is in the guidance? There is quite a lot of material, much of it well known to privacy professionals, but there are some nuggets of new information.  IAPP has keynoted the following key points:

  • In its communication to Parliament and the Council, the Commission notes that it has convened an “Expert Group” to assist member states in their implementation of the GDPR, and that the group has met 13 times already. The activity minutes are an interesting window into the interplay between the Commission and member state representatives. Later in the document, the Commission threatens member states with the “infringement procedure,” should they not get their GDPR implementation acts together, which might also include providing more resources to national data protection authorities. There are a number of points where the Commission implies many DPAs are under-funded for the GDPR task ahead of them.
  • We also learn the Commission is pursuing updated language in Convention 108 that will reflect the new GDPR language, in an effort to harmonize data protection principles around the globe. There’s even a chart of sorts outlining the next steps the Commission, member states, and businesses should be taking as the GDPR comes into force.
  • In total, the guidance makes clear the GDPR is to be taken seriously, but also seems to acknowledge that there is much work left to be done before May 25. It seems to echo the message that has been transmitted by many speakers on CPDP stages so far this week: The GDPR and its implementation will be a work in progress for some time to come. One speaker suggested it could take 10 years before the GDPR might be considered a mature piece of legislation that is well understood.

Last year we attended the annual meeting of the data protection officers of the EU institutions in Tallinn, Estonia. There the big concern was “boy, we are all understaffed to enforce this thing!!” That was clearly the impetus behind the Commission coming up with money to assist member staffing (“no where near enough” said a member state DPO here at CPDP. “We do not have anywhere need a sufficient budget to add more people to handle GDPR and 1.7 million spread across 27 member states is peanuts”). This issue of lack of staff has been a comment also made by a number of law firms and in-house counsel at several GDPR events we have attended.

So as I ran around the CPDP rooms yesterday and today for comment I heard (not surprisingly) similar comments to those I heard in Tallinn and elsewhere. Just a few of them:


– the Commission’s release is helpful but when it comes to how the law is going to be enforced on foreign companies we need to see guidance from the individual member states. There are some data-protection authorities that have a culture of fining and will continue to do so, while there are others that have more of a business-friendly approach, and they will carry on enforcing in that way.


– most law firms have noted the ambiguities in the law and intend to take advantage. The “public” face is to be concerned, it’s a big deal. But the “private” face behind closed doors to clients is they can litigate the hell out of it and delay enforcement. At least for the ones that can pay the big bucks. This past November in Washington, DC (and last week here in Brussels) two law firms outlined their potential “attack mode” for fighting a GDPR action, and to delay enforcement.  Said one lawyer “listen, all the Big Dogs are doing this”.

– again, many lawyers said the regulators simply don’t have the staff to deal fairly with each case so they expect regulators will target “symbolic cases” and that some of that enforcement will be arbitrary and unfair — and ripe for litigation.

– one of the big shocks is not the hefty fines imposed by regulators if they break the law, but the damages they could suffer from class action suits. And several organisations have been formed to take advantage. As we noted in a previous post, the GDPR codifies the right of consumer associations to sue for breach of data protection law. The infamous Max Schrems has formed one such organisation … which has been heavily funded … and there are at least four other similar organisations.


– several corporate counsel told us they are moving EU personal information to servers in regions like Latin America, making it more difficult for EU regulators to enforce the GDPR, although others said this was a “fool’s game”.

But the burden imposed by the GDPR will need to be dealt with … eventually. Yes, it might be a bit self-serving but I think the vendors are right on this one: when it comes to meeting GDPR compliance and security requirements, it’s time to pawn off the manual labor to machines. We have met with numerous vendors and have had conversations about the technology and the approach to take. To name but a few, you should check out GlobalSCAPR, HP Enterprise, Index Engines, Rackspace and Splunk, for example.

NOTE: we are collecting all of our video interviews with vendors on GDPR and hope to publish them soon. But depending on where you are, try to attend in Brussels, Belgium in March. Last year’s event was quite impressive but this year it will be wall-to-wall e-discovery vendors and GDPR technology vendors. And as I noted before, it is the perfect venue/set-up for a technology conference: 

All the large vendors have meeting places/coffee stations/
or offer food


Plus there are take-away restaurants and food carts 
all throughout the venue


Plus there are benches to rest or have short meetings,
with phone/tablet recharging racks
And all the educational sessions and vendor demos
are in theatres that ring the conference call

I know … it’s all just like LegalTech 🙂

Yes, no doubt. GDPR requires a strategic shift — not just a tactical one. And it will boil down to the CIO. Historically, CIOs have viewed data residing in enterprise infrastructure as enterprise property. The traditional model has been that data captured is data owned. GDPR signals a sea change in this model. In the future, enterprises will essentially only be “borrowing” data from its owners (read: citizens), who will retain specific rights relating to that data’s lifecycle. CIOs must rethink all aspects of the digital enterprise in this context.

And let’s face it: GDPR compliance is about more than just data governance. The simplistic view of GDPR compliance is that you’ll be OK if you just spend some money on data governance tools and find a sufficiently fierce data cop to enforce an organization’s internal data governance policies. But this is only partially true. Yes, to fulfill GDPR and other related mandates, you need the right technology and the right people to keep an eye on data across the enterprise.

But there’s much more going on data-wise in today’s digital enterprise than just apps and databases in production. The pressure to quickly bring innovative new digital capabilities to market, for example, is causing many DevOps teams to play fast and loose with the test data they use to get their work done. Sometimes this data is even shipped outside the enterprise to contract developers and QA shops without any masking whatsoever. Conversely, many enterprises source data from third parties without sufficiently investigating those third parties’ data hygiene practices. These actions can expose a business to serious data-related liabilities, regardless of how secure or compliant it perceives itself as being.

But my favorite, as detailed by a marketing maven attending CPDP: “it’s a branding opportunity, baby!” Look, many companies leverage corporate responsibility to their advantage. Whole Foods, Patagonia and Bombas are the classic examples — they elevate their brands and their customer engagement by contextualizing purchases as more than mere financial transactions. His point:

So …. who’s to say that data stewardship can’t become a digital equivalent of environmental protection or “buy one, give one” social benevolence? Plus, poor stewardship can have strategic consequences beyond non-compliance fines. If customers don’t think they can trust you with their data, they’re not likely to trust you with their money.

Related Posts