GDPR Review Published

Together we are Forbes


30 June, 2020

Bethany Paliga
Senior Associate

Under Article 97 of the General Data Protection Regulation (GDPR), the European Commission is obliged to report to the European Parliament and European Council on the evaluation and review of the GDPR. This review must be conducted 2 years after the date the GDPR was implemented (i.e. by 25 May 2020) and every 4 years thereafter. As required by the terms of the GDPR, the review must concentrate on international transfers of personal data and the cooperation mechanism between national data protection authorities. The European Commission announced a public consultation in April 2020 calling for views on both of these issues.

On 24 June 2020, the European Commission published its evaluation report. The report sets out how the GDPR is at the heart of the EU's framework guaranteeing the fundamental right to data protection and proposes great harmonisation of data protection rights across the world.

Enhanced Rights

The report found that the majority of EU citizens are aware of the GDPR and their national supervisory authority (e.g. the ICO in the UK) and that individuals are increasingly aware of their rights under the GDPR. These rights are effectively enforced through action taken by supervisory authorities and the ability to claim compensation for damages for breaches of data protection law.

However, whilst individuals are more aware of their data protection rights, the report concludes that more needs to be done to promote the right of data portability. This is particularly important in the context of switching service providers and will encourage competition and support innovation between service providers.

Opportunities and Challenges for SMEs

The report details how the consultation found that some organisations, particularly SMEs, found the application of the GDPR challenging. The report confirmed that funding had been provided to supervisory authorities to develop activities to help SMEs comply with the GDPR. This includes providing template documents and guidance to assist SMEs to apply the GDPR (e.g. the 'SME Data Protection Website Hub' available here). The report announced that a further €1 million will be allocated to supervisory authorities in 2020 to support supervisory authorities in their efforts to reach out to individuals and SMEs.

Further Guidance

The report recognised the need for further guidance to be published at both an EU and national level to assist organisations in the application of the GDPR. The report recommended adopting more practical guidance to address specific issues faced by the organisations who had responded to the consultation. The report specifically referenced the need for new guidelines on processing children's data and data subject rights, including the exercise of the right of access and the right to erasure.

Looking Ahead

The report sets out the European Commission's ambition for more countries internationally to adopt adequate data protection laws which are comparable to the GDPR. The adequacy regime is expected to play an important role in the context of the future of data transfer between the UK and the EU at the end of the Brexit transition period. The report confirms that the European Commission is currently conducting an adequacy assessment on the UK under the GDPR to ensure a high level of data protection between the two closely integrated economies.

The report also highlights how the use of standard contractual clauses is the most popular mechanism for international transfers of personal data under the GDPR. The report sets out plans to modernise the existing standard contractual clauses in order to meet the requirements of the GDPR and rulings of the Court of Justice of the EU. This will include covering all potential transfer scenarios - something which the current standard contractual clauses lack.


The report demonstrates how the European Commission will seek to address the differences in the application of the GDPR across Member States, its ambition to expand the number of countries deemed to offer adequate data protection which is equivalent to that available in the EU and the revision of international data transfer mechanisms to help companies transfer personal data internationally more easily. The report sets out a number of key findings which it will have to report on at the next review, which is due in 2024.

A copy of the European Commission's evaluation report is available to view here.

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

New Regulations place further obligations on Private Landlords…

The HSE has published the following guidance on Air conditioning…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: