The General Data Protection Regulation doesn’t only require more from the companies and organisations. The data protection authorities – or supervisory authorities, as named in the GDPR, have also been saddled with an increased scope of responsibilities.
They are, in essence, responsible for ensuring the GDPR is implemented in practice. Their wider scope of authority also means more work to do. Plenty of DPAs are already bursting at the seams, barely able to meet their current obligations under the Data Protection Directive.
This is a huge issue since most will require increases to their budget in 2018 if the respective governments wish to prepare for the GDPR the right way. Even the Article 29 Working Party warned all EU governments this March that they should prepare their authorities for the GDPR.
In fact, that is a legal requirement. Article 52 of the GDPR states that “Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers”.
But this requirement enters into force with the GDPR, on 25 May 2018. The data protection authorities need funds now in order to prepare. Some EU governments have turned a blind eye to their perils.
Country Specific Funding Issues
The Portuguese DPA, for example, has been struggling for years. Bulgarian and Romanian DPAs have expressed similar concerns, reports the IAPP.
The Irish DPA has received a cash infusion of €4 million that should help them. The Irish Data Protection Commissioner, Helen Dixon, states they will use the money to hire 40 new employees. UK’s and Dutch DPAs have gone public with their pleas. Hungarian and Estonian DPAs, on the other hand, feel content with their budgets.
Most authorities project a 40 to 50 percent increase in the required budget. Most of it will go towards hiring new staff to respond to increased workloads mandated by the GDPR. Employee training is also a major cost issue, since the employees of the DPAs also need to be acquainted with the provisions of the GDPR.
The IAPP further reports that French, Finnish, Czech and Swedish authorities asked for additional funding and are now waiting for the parliaments to approve the budgetary increases.
The Polish DPA is in a particularly bad shape, according to IAPP reports. Apparently, there is a risk of the DPA being completely shut down and replaced with another authority which would be less independent from the central government.
It’s obvious the GDPR compliance process won’t be hard only on the companies, but on the DPAs, as well. The governments should increase the DPA budgets since the investment should easily multiply in the economy, as the companies will enjoy less bureaucracy when the authorities do their job properly.