EU Regulation 2016/679 (the General Data Protection Regulation, or "GDPR") was officially published on 4 May 2016. Enforcement will begin on 25 May 2018, giving businesses just over two years to bring their operations into line with the sweeping changes introduced by the GDPR.

Timeline

On 4 May 2016, after more than four years of drafts, discussions and negotiations, the GDPR was published in the Official Journal of the EU by the Secretaries-General of the European Parliament and of the Council of the EU. It will come into force after a further twenty days, followed by an effective two-year grace period, meaning that enforcement of the GDPR will not begin until 25 May 2018.

During the two-year grace period, the existing collection of national data protection laws, based on EU Directive 95/46/EC, will continue to apply. However, as the GDPR makes wide-ranging changes to existing EU data protection law, businesses will need to use this window wisely, allocating sufficient time and resources to ensure that they are compliant by 25 May 2018. Failure to meet this deadline may result in enforcement action under the GDPR, including possible fines up to the greater of €20 million or 4% of annual global turnover. France is already in the process of introducing legislation to implement fines at these levels immediately, rather than waiting for the GDPR to become enforceable. It is not yet clear whether other Member States will follow suit.