As part of the European Commission’s Directorate General for Justice and Consumers’ assessment of GDPR’s impact, the European Union Agency for Fundamental Rights (FRA) asked civil society organisations (CSOs) to answer a short online questionnaire about the impact of GDPR on their daily work.

The FRA report is based on responses from 103 organizations, which represent a wide range of CSOs, most of which do not work specifically in the field of privacy and data protection.

The ‘General Data Protection Regulation – one year on’ focus paper shows that two-thirds of civil society organizations understand the GDPR requirements and that around half of them have also designated data protection officers. However, even with this understanding, 77% face challenges in implementing the rules. Eighty-nine percent of the CSOs say it required effort to comply with the rules, as they understood them. This mostly relates to adopting or revising privacy policies and obtaining consent from mailing list subscribers.

he above figures are worse when it comes to small CSOs. Smaller CSOs are more likely to lack awareness or understanding of and as a result fail to implement GDPR requirements due to a lack of adequate resources. The GDPR’s principles were characterized as “cumbersome,” “complex” and “costly.” The main concern lies in the likelihood that they could miss or misinterpret important legal requirements as a result of not being able to dedicate either human or financial resources to assessing the new data protection requirements properly. Several organizations referred to their need to receive information tailored to the specificities and needs of civil society.

The paper provides helpful insights for the European Commission’s overall assessment of the GDPR’s impact