The long-awaited General Data Protection Regulation was published in the Official Journal of the European Union on 4 May 2016. This means that the most comprehensive reform to the EU’s omnibus data protection law in 20 years will apply throughout the European Union from 25 May 2018.
We have written in previous posts (here and here) about the key differences being brought in by the GDPR, and the likely impact on businesses. The impact of these changes will be significant; not least of these is the potential for fines up to 4% of annual global turnover or €20 million, whichever is higher. Addressing these raised compliance standards is likely to be challenging and time-consuming, even for the most efficiently governed organisations.
This view is echoed by recent guidance from the UK’s Information Commissioner’s Office (the “ICO”): “It is essential to start planning your approach to GDPR compliance as early as you can and to gain ‘buy in’ from key people in your organisation. … In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications”.
Further guidance is expected over the coming months from the EU Data Protection Authorities on the implementation of the new law. In addition, the ICO has announced they will be working closely with trade associations and bodies representing the various sectors.