Over a year after the application of the General Data Protection Regulation (GDPR), the European Commission makes an overall positive assessment. In a report, published on 24 July 2019, the Commission concludes that most Member States have set up the necessary legal framework and that the new governance system is falling into place. Individuals increasingly make use of their rights, and businesses are developing a compliance culture. EU data protection rules are increasingly being used as a point of reference at the international level. The report also includes a number of issues that need to be further improved, e.g.:

• Ensuring that all Member States comply with EU data protection rules;
• Strengthening the role of data protection authorities;
• Supporting and involving stakeholders from civil society and business;
• Making sure that individuals and businesses, including SMEs, can enjoy the benefits brought about by the GDPR;
• Integrating data protection into all relevant policies;
• Further promoting international convergence towards a high level of data protection rules.

The GDPR has been applicable since 25 May 2018. Their rules are directly applicable in all EU Member States. It does not apply, however, to the processing of personal data for national security activities or law enforcement. For the latter, Directive 2016/680 forms the legal basis for data processings.

The national Data Protection Authorities are in charge of enforcing the new rules and are better coordinating their actions through new cooperation mechanisms and the European Data Protection Board. They are issuing guidelines on key aspects of the GDPR in order to support the implementation of the new rules in the private and public sectors.

The Commission will report on the progress made in the implementation of the GDPR in 2020 again.