On January 24, 2018 the European Commission issued a communication (Communication from the Commission to the European Parliament and the Council (COM (2018) 43 final (EN))) describing the status of the completed and ongoing work in preparation for the May 25, 2018 effective date of the General Data Protection Regulation (GDPR).
Consultations and meetings are being held at the EU level, with the European Commission, and national data protection authorities. An expert group is in place to assist the Member States in implementing the GDPR and where the Member States can share their experiences and expertise. (COM (2018) 43 final EN page 5).
In preparation for May 25, the Member States have to adapt their legislation by repealing and amending existing laws, and setting up national data protection authorities, choosing an accreditation body and laying down the rules for the reconciliation of freedom of expression and data protection. (Articles 54(1), 43(1) and 85(1) of the GDPR) (COM (2018) 43 final EN page 8).
As of the date of the Communication, guidelines on the right to data portability, data protection officers, designation of the lead Supervisory Authority, data protection impact assessment and administrative fines have been adopted by the Article 29 Working Party. These guidelines are available at: http://ec.europa.eu/newsroom. Work is ongoing on guidelines/working documents for profiling, data breach, consent, transparency, certification and accreditation, adequacy referential, binding corporate rules for controllers and binding corporate rules for processes. (COM (2018) 43 final EN page 7). Additional guidance, guidelines, information and tools will be available and will be updated regularly.
While these documents will assist with complying with the GDPR, only the text of the Regulation has legal force. National data protection authorities are supposed to provide additional legal certainty regarding the interpretation of the Regulation. (COM (2018) 43 final EN page 6). The courts at national and EU level and ultimately the European Court of Justice) are to provide final interpretation of the GDPR (COM (2018) 43 final EN page 9).
The European Data Protection Board, which is included in the GDPR, is charged with ensuring the consistent application of the GDPR. Members of the Board will include the head of the data protection authority in each Member State and the European Data Protection Supervisor, or their representatives.
The European Data Protection Board will issue guidelines on how to interpret concepts of the regulation and binding decisions on disputes regarding cross-border processing. While the Communication states that this will ensure the uniform application of EU rules and prevent the same case being dealt with differently in different Member States.” (COM (2018) 43 final EN page 10), this may take some time.