The idea to enforce it was each country Data Protection Agency is the key contact for any data/security issue - doesn't matter if it's reported by the company itself, or by a consumer who denounced a breach in data protection terms.
Then the country can issue any fines, reporting to EU agencies, etc.
The problems are:
- This process isn't clear for companies, let alone consumers;
- Not all Data Protection Agencies are the same, neither have the same resources. Here, in Portugal, when GDPR was live, the director of the agency came out to the public and said it was impossible to enforce anything because they didn't have the resources to do it. He was fired.
The reality is that it's extremely hard to control so many players, and delegating it to each country, some of which underfunded, doesn't get us anywhere.
The idea to enforce it was each country Data Protection Agency is the key contact for any data/security issue - doesn't matter if it's reported by the company itself, or by a consumer who denounced a breach in data protection terms.
Then the country can issue any fines, reporting to EU agencies, etc.
The problems are:
- This process isn't clear for companies, let alone consumers;
- Not all Data Protection Agencies are the same, neither have the same resources. Here, in Portugal, when GDPR was live, the director of the agency came out to the public and said it was impossible to enforce anything because they didn't have the resources to do it. He was fired.
The reality is that it's extremely hard to control so many players, and delegating it to each country, some of which underfunded, doesn't get us anywhere.