The European Commission published its first draft of the EU General Data Protection Regulation (“GDPR“) in January 2012, which set out a comprehensive reform of the current existing EU regime. The reform was designed to give citizens more control and protection over their personal data. In April 2016, the final text of the GDPR was formally approved.
The GDPR then entered into force on 25 May 2016 with a two year implementation period before it comes into effect. This period gives organisations until 25 May 2018 to prepare for the new rules to apply.
In particular, the GDPR:
- has a broader scope than the current EU Directive – it will apply to organisations located outside the EU that offer goods and services to EU citizens or monitor their behaviour;
- includes enhanced compliance requirements; and
- gives rise to increased risk exposure for non-compliance – with maximum penalties for certain breaches under the new tiered sanctions being up to EUR 20 million or 4% of annual worldwide turnover, whichever is the greater.
With just under 12 months for organisations to get their houses in order, compliance teams should be looking carefully at their existing arrangements and the underlying systems and controls they currently have in place.
In the meantime, at the European level the Article 29 Working Party (“WP29″) has adopted finalised GDPR guidelines and FAQs on data protection officers, data portability and lead supervisory authorities, and intends to release further guidance on other priority areas later this year. The UK Information Commissioner’s Office (“ICO“) has also issued a range of guidelines to assist organisations with compliance, including a constantly evolving “Overview of GDPR” which is intended to form the ICO’s guide to the GDPR.