An overwhelming high percentage (86%) of European consumers consider data security an important factor when choosing a company to buy from or work with (ranking it higher than product quality). But on the other hand, 74% of businesses don’t believe their privacy track records are even among the top three considerations for customers. Regardless of these perceptions, the General Data Protection Regulation (GDPR) is forcing companies to take the care and keeping of EU citizens’ data security more seriously.
Complying with the GDPR is no simple task in itself, but as companies have started aligning with its requirements, new GDPR Member State derogations have come into the spotlight as well. Simply put, a GDPR derogation allows Member States to modify or add to its requirements (most exist in Articles 23 and 85-91 of the GDPR). These exemptions or derogations give Member States a little flexibility, making the implementation process easier.
However, derogations do complicate compliance for the corporations trying to keep up with all the GDPR requirements. To help those working hard to comply with the GDPR, our team made a handy chart of the Member State derogations everyone should know. It’s mapped out by Member State and cross-referenced to the requirements of the GDPR.
You can download it right here.
Let Us Introduce You to Member State Derogations
GDPR derogations are limited to about 50 provisions found in the GDPR and mostly found in Articles 23 and 85-91. Article 23 functions as an of overview of derogations. It details the instances that allow for derogations (national security, crime detections and prevention, employee data processing, etc.) and gives strict instructions on the circumstances under which derogations are permitted. A derogation can only be made if it “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard” the specific areas mentioned above (full list here).
Articles 85-91 provide some exemptions for specific processing activities. For example, when it comes to processing for journalistic, artistic, academic, or historical research reasons, organizations have a little more wiggle room. These articles also allow for some modifications when it comes to processing employee data.
We created a handy chart that details the key derogations you need to know. Download it right here.
Which Member States Have Derogations?
Before you start panicking about all these GDPR derogations, there’s something you should know. As of January 22, 2018, only two Member States have actually enacted laws formalizing these derogations: Germany and Austria. Others, like the Czech Republic, France, and The Netherlands have draft derogations in the works. While no longer a member of the EU, the UK has chosen to align with the GDPR, but has made some modifications as well.
Germany’s derogations have caused quite a stir in the EU and have become somewhat of a landmark in GDPR derogations. Germany has chosen to enforce harsher penalties (including criminal penalties and fines for individuals) and has stricter requirements around which organizations need a DPO.
You can read more about Germany’s now famous (by GDPR standards) derogations, as well as those in the works for The Netherlands, the UK, France, and the Czech Republic, in our helpful guide to derogations right here.
What You Should Do About Derogations
There are a few actions you should take now to align with both the GDPR and these Member State derogations.
- Identify the EU Member States your company has operations in and determine if they have enacted any derogations. Currently, that list is pretty short.
- Determine if these derogations apply to your organization’s processing activities. This requires a comprehensive knowledge of your data processing activities (as does compliance with the GDPR itself).
- Perform an assessment to identify any gaps in compliance with these derogations, building a roadmap to compliance activities as you go.
While derogations may be another hurdle on your road to GDPR compliance, there are lots of resources and experts ready to help you clear it. If you have questions or want to learn more about performing a GDPR derogations gap analysis, just let us know.
Want more GDPR insights like these?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.
