GDPR Top Ten #10: One Stop Shop
The Impact of the One Stop Shop Mechanism
Supervisory authorities under the GDPR are tasked to enforce and provide guidance on privacy laws in a consistent manner across the EU. This article highlights how the one stop shop mechanism will facilitate consistent privacy law guidance and enforcement, and what impact this may have on organisations and consumers.
Authors: Annika Sponselee & Rodney Mhungu
The one stop shop mechanism
For organisations active in multiple EU countries, the GDPR provides a central point of enforcement through a system of co-operation and consistency procedures that has been coined the ‘one stop shop’ mechanism. This means that if your organisation conducts cross-border data processing, the GDPR will require you to work primarily with the supervisory authority based in the same Member State as your main establishment (usually your EU headquarters) to achieve compliance. This enforcement body will be your ‘lead supervisory authority’ for all privacy related matters.
In circumstances where individual data subjects of another Member State are substantially affected by your personal data processing activities, the local supervisory authority of that Member State may either hand the case over to your lead supervisory authority or handle the case locally in co-operation with your lead supervisory authority, depending on the most appropriate course of action for a legal remedy to a complainant. Notwithstanding these co-operation and consistency procedures, each supervisory authority in the EU will be competent to handle local complaints or infringements of the GDPR.
Essentially the one-stop shop mechanism intends to ensure that organisations and individuals can deal with cross-border privacy-related issues from their home-base, and that such issues can be addressed consistently across the EU.
The impact of the One Stop Shop mechanism on consumers
In line with GDPR’s primary goal to protect consumers more effectively, the one stop shop mechanism is one of the many features of the GDPR that aims to make it easier for data subjects to exercise rights related to their personal data. Data subjects can request information from their local supervisory authority about the exercise of their rights under the GDPR, which includes requests related to the cross-border processing by multinational organisations. The local supervisory authority is tasked to investigate local complaints and inform the complainant of the progress and outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary. In this respect, a consumer (data subject) can rely on their local supervisory authority to help protect their rights under the GDPR, no matter where an implicated organisation’s EU headquarters are.
In effect, the current privacy regime already facilitates handling local complaints in this manner, so perhaps the GDPR complaint process may not affect the consumer’s perspective on how they can exercise their rights. Consumers need to submit their complaints to the local authority today, they will need to do the same under the GDPR. Thus the biggest impact the one stop shop mechanism will have on consumers will likely be that complaints will be handled more efficiently than they are today.
The impact of the One-Stop-Shop mechanism on your organisation
There will likely remain a large administrative burden in coordinating cases involving cross-border data processing, but the lion’s share of that burden will shift to regulators and away from controllers and processors of personal data. Under the current regime, the cooperation of data protection authorities (the functional equivalent of supervisory authorities under the GDPR) is strongly encouraged by policy makers, but no clear procedures are provided for in EU law. So if a multinational organisation needs to address privacy compliance in multiple countries, the organisation needs to become familiar with and address differing procedures in different Member States. However, when the GDRP is fully implemented on 25 May 2018, it will formally require supervisory authorities to co-operate with each other to align their guidance and enforcement procedures. This should mean that, by 2018, organisations operating across EU countries can mainly rely on the guidance and enforcement procedures of their lead supervisory authority, rather than engage with the procedures of many EU supervisory authorities.
Provided that you develop a compelling strategy for processing personal data, the promise of interacting with one clear voice of authority in EU privacy law should allow your strategy to produce its intended effects at a greater scale. This is because, on the one hand, the privacy strategy you devise based on the risks you have determined at your headquarters can be implemented consistently in every office; and on the other hand, your entire organisation can learn from the data processing experiences of each local office by feeding those experiences back to your organisation’s center of gravity.
Leverage your lead supervisory authority to scale your privacy strategy
In sum, when the GDPR is fully implemented, the one stop shop mechanism should help consumers to exercise their rights related to their personal data more effeciently, and it should also become easier for your organisation to understand those rights and your privacy risks at an EU level.
You should thus make a focused effort to leverage the one stop shop mechanism and the guidance of your lead supervisory authority in order to simplify GDPR compliance. Your organisation will be able to consult closely with your lead supervisory authority in order to create a privacy strategy based on one clear set of privacy risks, implement that strategy across all of your (EU) offices, and learn from the local experiences of each office in order to consistently measure and improve the impact of your privacy strategy throughout your organisation