The European Union’s tough new data rules are “bearing fruit,” but some member states have still not put the General Data Protection Regulation (GDPR) into law, and only 20 percent of EU citizens seem aware of which public authority is responsible for protecting their personal information.

This week, the European Commission published an assessment of how the GDPR has been implemented across the European Union. The report concludes most member states have set up the necessary legal framework, and the new system strengthening the enforcement of the data protection rules is falling into place. It found businesses are developing a compliance culture while citizens are becoming more aware of their rights. At the same time, convergence toward high data-protection standards is progressing at international level. 

However, the assessment also highlights several areas of concern—namely, that Greece, Portugal, and Slovenia have still not updated their national data protection laws in line with EU rules. The Commission says they “must do so as a matter of urgency,” warning that it will use “all the tools at its disposal, including infringement procedures” to ensure member states comply with GDPR and limit any fragmentation of the data protection framework.

To improve GDPR awareness, compliance, and enforcement, the Commission wants to strengthen the role of data protection authorities by encouraging member states to allocate sufficient resources to them, as well as step up cooperation between them. The EU’s executive body also wants to ensure data regulators apply  GDPR in the same manner so enforcement is applied evenly and consistently across the 28-country bloc.

The report has already uncovered some instances where the interpretation of rules around the GDPR are diverging. Some member states, for example, have introduced national requirements on top of the regulation, which the Commission says “leads to fragmentation and results in creating unnecessary burdens.”

Germany, for example, requires companies with at least 20 employees to designate a data protection officer to be permanently involved in the automated processing of personal data.

The Commission  found privacy rights under the GDPR are still misunderstood by both individuals and companies and data requests are dealt with too slowly and not thoroughly enough.

It also found that while there have been several representative actions brought by privacy campaigners on behalf of data subjects, even more would have been brought if more member states had allowed such organisations to be able to do so without the need to get individuals to give them a mandate, as is possible under the regulation.

However, the Commission warns that “the success of the regulation should not be measured by the number of fines imposed, but by changes in the culture and behaviour of all actors involved.”

It points out that, rather than slapping companies like British Airways, Marriott, and Google with multi-million-Euro fines, data protection authorities have other tools at their disposal—such as imposing a temporary or definitive limitation on data processing, including a ban, or ordering the suspension of data flows to a recipient in a third country.

Věra Jourová, commissioner for justice, consumers and gender equality, said that “work needs to continue for the new data protection regime to become fully operational and effective.”

The Commission will again report on the GDPR’s implementation in 2020.