14 April 2016 - Post by:Charlotte Mullarkey
After four years of negotiation, the GDPR has today been adopted by the European Parliament.
There is an air of celebration, and no doubt equal measures of relief and trepidation, in the data protection community. Whether or not you like the way the text has landed, at least we now have a degree of certainty. Companies can now work towards compliance with the new rules with the confidence that the text is settled (subject of course to those matters which are left to Member States to further define or specify under or alongside the GDPR, and also any guidance/decisions issued by the European Data Protection Board, supervisory authorities or the Commission under the GDPR).
This increased certainty is particularly welcome at a time of continued uncertainty around the EU-US Privacy Shield and transfer of personal data to the US.
The GDPR will be published in the Official Journal of the European Union, possibly in the first week of May. It will come into force 20 days after publication but will not apply until 2 years after that date. This allows much-needed time to prepare. Many companies are now considering three big-picture questions.
1. What are the new obligations under the GDPR which will apply to their organisation?
2. What gaps exist between their existing state of compliance as against the standard required under the GDPR?
3. What changes should they make to achieve compliance with the GDPR, on what timetable and with what order of priority, and at what cost?