With just over 100 days until the GDPR comes into force, the European Commission has launched GDPR guidance and a new online tool to help businesses to prepare for their new data protection legal obligations. The Commission has also called on national governments to prepare for the new rules. Although the GDPR is directly applicable across the EU from 25 May 2018, Member States need to take steps to implement national legislation to adapt existing laws, and provide for any derogations from the GDPR.

So far only two Member States, namely Germany and Austria, have adopted the relevant national legislation. The remaining Member States are at different stages in their legislative procedures (State of play available here). When adapting their national legislation, Member States are prohibited from repeating the text of the GDPR, unless such repetitions are strictly necessary. The Commission warns Member States that it is important to give businesses enough time to prepare for all the provisions that they have to comply with.

Next Steps

The Commission states it will continue working with EU Member States, and from May 2018 onward will monitor how Member States apply the new rules and take appropriate action as necessary. One year after the GDPR enters into application (2019), the European Commission will organise an event to take stock of stakeholders’ experiences of implementing the GDPR. This will also feed into the report the Commission is required to complete by May 2020 on the evaluation and review of the GDPR. The report will focus in particular on international transfers and the provisions on cooperation and consistency applicable to data protection authorities.

The Commission will also work with the three EFTA States (Iceland, Liechtenstein and Norway) in the EEA to integrate the GDPR into the EEA agreement. It is only once the integration of the GDPR into the EEA agreement is in force, that personal data can flow freely between the EU and EEA countries in the same way as within the EU.

In regard to the UK’s withdrawal from the EU, the Commission highlights, once again, that as of the withdrawal date, subject to any transitional arrangement that may be included in a withdrawal agreement, the rules of the GDPR for transfers of personal data to third countries will apply to the UK.