It has taken a lengthy legislative process but on 14 April 2016 the European Parliament voted to replace the existing EU Data Protection Directive with the General Data Protection Regulation; a significant landmark in data protection legislation.
In our recent article we explored the seven key areas of change that Regulation will bring about; replacing entirely the Data Protection Act 1998 (the DPA).
Alongside the Regulation a new Data Protection Directive (the Directive) for the police and criminal justice sector has been approved providing minimum standards for police and judicial use of data.
What happens now?
Due to its statutory form the Regulation will not need to be implemented into national law, rather it will have direct effect; applying consistently to all data controllers and data processors - whether in the public or private sphere - within the European Union, automatically overriding any conflicting national legislation.
Whilst there is still time before the Regulation comes into force on 2018, all data controllers need to be taking action now to prepare themselves for compliance. Those data controllers who are not compliant with the current DPA (including transfers to the US following the recent decision regarding the Safe Harbor scheme) will find themselves with much more work to do during this time.
The Information Commissioners Office (the ICO) has issued helpful guidance for data controllers in the UK, however organisations who do not already have a good understanding of their data flows and processing will need to make this a priority before they are able to take steps towards compliance.
Those organisations who have not actively addressed data protection compliance should be mindful of the emphasis under the Regulation of the protection of individuals' rights and control over their data as well as the greater level sanctions and fines to be introduced. Further it is important to bear in mind that recent well publicised data protection leaks and high profile cases have increased individuals' understanding and appreciation of data protection and how their data should be handled.
Once the Regulation has been translated it will enter force 20 days after it is published in the EU Official Journal. Two years after this date the Regulation will be directly applicable to all member states and all data controllers and processors will need to be compliant with it.
Member states will have two years to transpose the Directive into national law. However as the UK and Ireland have special status concerning justice and home affairs there will be a limit on the applicability of the Directive in those jurisdictions.