Taking all its requirements into consideration, businesses are finding ensuring GDPR compliance challenging. The requirements are at times either too vague or too open and therefore subject to interpretation, which is where businesses struggle with their compliance endeavours.

As part of CyberSec4Europe, we have established GDPR guidelines to help alleviate the challenges regarding the adoption of and compliance with the GDPR. These guidelines are a synthesis and combination of requirements from the GDPR, European Data Protection Board (EDPB) guidelines, frameworks and up-to-date standards relating to data privacy protection in the European Union.

The guidelines, which include the WP29 Guidelines endorsed by the EDPB, follow the latest standards, methods and frameworks for risk analysis and include a simple-to-follow methodology that was objectified to the largest possible extent.  By following these guidelines, data controllers and processors can either execute a data protection impact assessment or use a step-by-step set of recommendations for GDPR compliance.

Our report combines and summarises known guidelines and opinions in the form of an actionable to-do list, supported by integrated checklists and concrete guidelines with explanations. It presents a baseline of identified risk to conduct threat analysis during a data protection impact assessment and an easy-to-follow set of instructions when additional information is needed to explain decisions taken. It also includes documentation of the analysis process as well as the required data protection officer consultation template and an optional self-assessment template. However, the document does not replace the need to understand the GDPR requirements.

During our research, we identified many issues with regulatory harmonisation in the field of privacy in the EU which led us to design a questionnaire to collect information about additional privacy requirements across Member States. Please note that the specific requirements for Member States were addressed but not covered in the report and the results only reflect the needs of the Member States (and countries in the European Economic Area) that we received replies from.

Preliminary results show that, currently, service providers and producers cannot avoid market segmentation due to differences in regulatory requirements. An example of this is the different minimum age required for consent as shown in the figure below. Businesses have to understand the local requirements of every Member State in order to be able to adapt to local requirements.

The second area where we suspected there might be divergence between Member States was regarding the use of biometrics for access control in the private sector. The suspicions have been confirmed by the preliminary results as shown below.

In conclusion, while the GDPR sets the bar very high for data protection in the EU and has been adopted in one form or another in many other jurisdictions globally, there is still a lot of work that has to be undertaken to make this regulation as practically applicable as possible and not only within but between Member States.

Marko Hölbl, UM