After years of drafting and debating, the EU General Data Protection Regulation (GDPR) was approved by the European Parliament yesterday (14 April). It is expected to be published in the EU Official Journal in the coming weeks.
What? The GDPR sets the new EU-rules for handling of personal data. It will substitute local EU data protection laws. However, the GDPR contains over 50 “door openers” for local member state laws (see this nice graphic which illustrates the point: https://www.flickr.com/photos/winfried-veil/24134840885/in/dateposted/). Life for international companies, therefore, will not get easier as they will not avoid the need to assess local member state laws.
When? The GDPR will enter into force 20 days after its official publication, estimated to be between May and July 2016. Companies will then have two years to prepare until the GDPR actually applies (two years after entering into force – i.e. May – July 2018).
Who? All businesses in the EU and all non-EU businesses that are dealing with data of EU-citizens or direct their business activities to the EU will be affected by the GDPR. This extra-territorial scope of EU data protection laws is new and will be a challenge for non-EU businesses.
What’s next? Companies must now start to get ready for GDPR. They should start with appointing a “data champion” or project team and establishing a GDPR-readiness plan. Olswang will be helping companies to get ready for GDPR individually and through a series of “Getting Ready” events and posts on this blog.
What else? The latest versions of the text (in all EU languages) of the GDPR can be viewed at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=consil:ST_5419_2016_INIT
For further information on the key changes to prepare for, see our article “The GDPR in two years: what your board needs to know!”, first published in the journal Data Protection Law & Policy, or contact Olswang’s Data Protection Team.