I attended a very interesting public hearing committee on Civil Liberties, Justice and Home Affairs at the European Parliament this week.

The meeting heard from three different panels about their experience of GDPR over the last three years, was it working? and what needed changing? (if anything).

Perhaps the strongest message to emerge from all of the panels was the need for the Data Protection Authorities (DPAs) in each country to be better funded. The French DPA (CNIL) suggested the idea that Governments should fund their DPAs in the same way as many fund defence and International Aid, as a percentage of the countries Gross Domestic Product (GDP). This was generally met with support, although recognising that it would require all EU states (and presumably the UK if we are to keep the same pace as the EU) to invoke primary legislation to make this change happen.

In terms of the implementation of GDPR, the general feel was that it had been successful, and that although it did place an overhead on business, this overhead was not unwieldy. Again, what was a cause for discussion was that all EU countries and the UK were now imposing GDPR, the level of implementation differed from EU country to EU country.

The third panel discussed how consumer rights were being protected by GDPR. The general feel across the room was that many residents were now much more aware of their privacy rights and were utilising those rights.

So, in summary, is GDPR working? the answer must be yes (but with the caveat of the lack of DPA resourcing and as a result the recognition that there was still a need to encourage registration by companies and other organisations (in the UK only circa 22% of companies and organisations who should have registered for GDPR have actually done so),  

Is there a need for further reform? The majority feel was that the answer to this was no, but there was a need to keep a watching brief on AI and other emerging technologies and possibly encourage the use of supplementary legislation to effect any changes required to meet the challenges of those emerging technologies.