If you’re taking the General Data Protection Regulation (GDPR) at face value, you might be missing something:

The power it grants to Member States.

The regulation is intended to serve as a baseline, not an endpoint. So, while the GDPR points out specific guidelines Member States and organization must follow, it also includes leeway for Member States to offer different interpretations of specific articles or impose additional restrictions.

The following Member States have already imposed their own laws that build upon the GDPR’s baseline.

  • Austria
  • Belgium
  • Germany
  • Slovakia

And, bills have been drafted in 16 other countries.

Another important note is that these powers are not just afforded to countries that are official members of the EU. It also applies to 3 countries outside of the EU who are still in the EU economic area:

  • Norway
  • Iceland
  • Liechtenstein

The articles in the GDPR applying specifically to Member States generally fall into 1 of 2 categories:

1. Things Member States are required to do.

Here are some of the key articles in this category:

Article 84: Penalties 

Member States are responsible for determining and enforcing penalties for GDPR violations, as well as establishing supervisory authorities who are responsible for the enforcement.

Article 85: Processing and freedom of expression and information 

Member States are required to reconcile GDPR regulations with “the right to freedom of expression and information…”

2. Things Member States are allowed to do.

Here are some of the key articles in this category:

Article 6: Lawfulness of processing 

Member States can stipulate additional provisions applying to the lawfulness of processing personal data, specifically when processing is necessary for compliance with a legal obligation or for a task carried out in the public interest.

Article 8: Conditions applicable to child’s consent in relation to information society services 

Member States can change the age of consent for processing to as low as 13 years old.

Article 22: Automated individual decision-making, including profiling 

The GDPR stipulates that data subjects “have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

Member States can allow organizations to bypass this as long as “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests” are implemented.

Article 23: Restrictions 

Member States can restrict the scope of certain GDPR articles, “when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure…” to protect national and judicial interests.

Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes 

Member States can adjust the rights referred to in Articles 15 (access), 16 (rectification), 18 (restriction), and 21 (objection)  when personal data is processed “for scientific or historical research purposes or statistical purposes” or “for archiving purposes in the public interest.” However, the Member State’s adjustments are restricted to only those cases where the fulfillment of those rights are likely to impair the achievement of the specific purpose for which the data is being processed.

The more organizations learn about GDPR, the more complex the regulation seems to be. But it doesn’t have to be that way. LBMC Information Security can help you determine how your organization may be impacted by the GDPR and what you can do to become compliant.