The European Parliament yesterday approved the General Data Protection Regulation ("GDPR") and adopted the text of the Council at first reading. It was a momentous occasion which, at times over the last four years, seemed uncertain to happen. All that now remains is for the text to appear in the Official Journal of the European Union. The GDPR comes into force 20 days after that. However, given the GDPR's two year implementation period the new obligations will only become applicable after this time, i.e., on or around early summer 2018.
"New rules fit for a digital era" was the headline for the European Parliament's press release yesterday. "Rapid technological developments … globalisation …The scale of collection and sharing of personal data" have certainly been a catalyst for this legislation as explained at Recital 6. As Fieldfisher Partner, Phil Lee explained, the GDPR has create a new threshold for the standard of data protection and "Europe has become the flag bearer for best practice in the treatment of individuals' data". Questions have been raised as to whether the GDPR is too individual centric especially due to the extensive rights data subject will have including the right to erasure and the right to data portability. Not to mention the fact that all information will need to be disclosed to individuals in a transparency manner.
The obligations for businesses have certainly become more extensive and the consequences for failing to comply enormous. Ever since the first draft of the GDPR the potential level of fines has been headline grabbing. Businesses which breach the Regulation face fines of up to €20,000,000 or up to 4% of the "total worldwide annual turnover". Such figures are enough to make any board blink and consider their business' data protection strategy. Data protection is now firmly centre stage. It is no longer an annexed item and needs to be high priority on the board's agenda.
Under the GDPR businesses not only need to be compliant with the provisions they are also accountable for evidencing their compliance. While those in regulated industries will be familiar with this concept according to the European Data Protection Supervisor("EDPS") the word has "currency in English but in few other languages". Accountability is such a central theme to the GDPR that the EDPS will itself, later this year, begin a project to explain and will start to implement this idea. Accountability will certainly increase a business' administrative burden. However, maintaining thorough records may prove invaluable as a supervisory authority will be able to request them when investigating a business's compliance.
Given the potentially daunting task ahead, the best thing to do is Keep Calm and Get GDPR Ready. Take stock of your present data protection framework and then assess where you need to be in order to meet the new compliance regime of the GDPR. Fieldfisher has written a ten part blog series on Getting to know the GDPR which will assist you in familiarizing yourself with this new piece of legislation. Today, upwards of two years may seem a long time in advance. However, the GDPR is not something which can be implemented overnight. As with many a success, credit it is often given to the preparation. So use this time to "put your house in order" and consider how you can implement a data protection strategy that is compliant and appropriately aligns with your business. With the introduction of codes of conduct and certifications, businesses will certainly be able to champion their own high standards of data protection best practices. Data protection today is not only about compliance it is also about brand management and competitive differentiation.