The long awaited General Data Protection Regulation (EU) n° 2016/679 ("GDPR") has been finally published on 4 May 2016 and will be applicable as from 25 May 2018. Two years until the entry into force may seem a long period, but it is not if one considers the immense compliance gap most undertakings or organisations that are personal data controllers and processors must close in the meanwhile. Indeed, the GDPR will, among other things, need a thorough review of business processes in order to assure the mapping of all relevant personal data processing activities and flows within an organisation, as well as the review of the data controller's general terms and conditions, consent and privacy disclaimer language and data processing agreements. Furthermore, not only the data controllers and processors are affected by the deadline of 25 May 2018. Also the EU Member States are given numerous points that still must be implemented by them (specific rules applicable in the context of an employment relationship, scope of the exceptions to the data subject's rights, list of events triggering a data protection impact assessment ,…). They should do so soonest as it is only upon their implementation of these points that data controllers, processors and data subjects have a full view on the applicable data protection regulatory framework. EU Member States Indeed, the GDPR, even when it is a regulation which will be directly applicable in the EU Member States as from 25 May 2018, needs an implementation on an EU Member State level on several critical points, among other things when it comes to: These points must be implemented in a timely fashion in order to allow organisations to implement correctly the GDPR. •specific provisions on the legitimate grounds of processing for "compliance with a legal obligation to which the controller is subject" and "the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller" •the age (between 13 and 16 years) below which the specific conditions for children's consent in relation to information society services apply. •the conditions under which the general exceptions to the data subjects' rights apply. •the list of the kind of processing operations which are subject to the requirement for a data protection impact assessment in addition to the operations listed in the GDPR itself (this list must be established by the national supervisory authority); •more specific rules in respect of the processing of employees' personal data in the employment context and with regard to the processing of personal data for journalistic purposes. Data Controllers Undertakings and other organisations that are data controllers should also start with the implementation of the GDPR right now and, more particularly, on the following key points (in order of chronological priority) on which compliance gaps with the GDPR are likely to exist. 24.05.2016 • Determine territorial applicability (esp. for undertakings outside the EEA offering products and services to EEA resident data subjects, monitoring their behaviour or having recourse to an EEA data processor) and the need to appoint a representative. • Determine the different establishments of the data controller and the main establishment. •Envisage appointment of a Data Protection Officer if mandatory on the basis of the GDPR or if de facto necessary in order to assure and to evidence GDPR compliance. • Map current data processing activities and flows in order to establish records of processing activities. These records will serve to demonstrate GDPR compliance. Look for an appropriate IT solution for data record management. •Elaborate and undertake a mini-data protection impact assessment for each existing and future processing and proceed to a GDPR compliant assessment for high risk processing operations. •Elaborate a data breach incident management plan. • Review internal policies/procedures and support these with adequate training. •Adopt organisational and technical measures to assure an adequate security level (security) and purpose bound processing (privacy by default). • Assure other data protection principles when developing, designing, selecting and using products, services and applications involving personal data processing in function of the risk, state of the art, nature of processing ...(privacy by design). • Review contracts with (sub)processors, in particular contracts with technology solution providers in order to reflect the enhanced (i) obligations (privacy by design and by default) and (ii) rights of the controller (i.a. veto on subcontracting) as well as (iii) obligations of processors (deletion or return of data upon termination, assistance in case of data breach or exercice of data subjects' rights...). 25.05.2018 •Align business processes with revamped data subjects' rights (incl. right to erasure and data portability). •Adapt privacy notices and policies to the enlarged list of elements on which data subjects must be informed. • Review validity of consent language in general conditions and assess the necessity to use distict consent forms or base the processing on other grounds. Data Processors Finally, data processors, i.e. undertakings and organisations acting on behalf of the data controllers (e.g. technology solution providers, payroll service providers, …) will also have to review their processes and contracts. Even when most obligations under the GDPR must complied with by the data controller, several obligations must be respected by the data processors as well and/or have a significant impact on the contracts with the data controller. 24.05.2016 •Review solutions and processes on general compliance with the GDPR. •Review subcontracting arrangements and request for sufficient guarantees on general compliance with the GDPR. •Adopt organisational and technical measures to ensure an adequate security level (security). •Envisage appointment of a Data Protection Officer if mandatory on the basis of the GDPR or if de facto necessary in order to assure and to evidence GDPR compliance. •Map data processing activities and flows performed for clients in order to establish records of processing activities. Look for an appropriate IT solution for data record management. •Elaborate a data breach incident management plan fitting with the clients' incident management plan. •Review internal policies/procedures and support these with adequate training. •Assure that all staff is under an obligation of confidentiality. •Assure the existence of a written contract with the data controller clearly defining the processor's scope of intervention (and, hence, of the liability of the latter under the GDPR) •Obtain approval from clients to subcontract data processign related activities. 25.05.2018 •Review contracts with clients and subprocessors, in particular contracts in order to reflect the enhanced (i) obligations (privacy by design and by default) and (ii) rights of the controller (i.a. end-to-end liability of a processor) as well as (iii) obligations of processors (security measures, deletion or return of data upon termination, assistance in case of data breach or exercice of data subjects' rights...).