GDPR will apply from 25 May 2018 – certainty at last

Charlotte Mullarkey

On 4 May, the General Data Protection Regulation, now numbered Regulation 2016/679, was published in the Official Journal of the EU. This means that we finally have certainty on the date from which it will apply. A period of 20 days must pass following this publication, and the GDPR will therefore be “in force” from 25 May 2016, and will “apply” from 25 May 2018. The two year run up is about to start.

As a Regulation, the GDPR will be directly applicable in all EU Member States without the need for local implementation, though a few areas are left to Member States. This will, in many areas, mean increased harmonisation of data protection laws across these jurisdictions.

Once it is in effect, the current Data Protection Directive 95/46/EC is repealed. As companies begin the process of moving to compliance with the new requirements, Member States will need to consider the impact on national legislation that implements the Directive.

Data protection is now firmly in the limelight and has become a key board room issue, particularly given the vast increase in potential fines. The GDPR will have an impact on many businesses, both within the EU and beyond. Compliance will require a re-assessment of current strategies and implementation of new policies (for example to comply with the data breach notification requirements). The GDPR marks a new chapter in protection of personal data and many companies are already taking steps to comply.

Some businesses in the UK have chosen to put off a detailed gap analysis while they wait to find out the result of the referendum on Brexit in the UK. However, whatever the result, the ICO has made it clear that “The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

It also worth noting that the ePrivacy Directive is next in line in the review process, with a consultation currently in progress.  Hopefully this process will be shorter and simpler and the two pieces of legislation will soon be aligned.

The final published text of the GDPR can be found here.

Comments published on Digital Hub do not necessarily reflect the views of Allen & Overy.

Read comments below or add a comment

Leave a comment