Client Alert: 121 Days Until GDPR Enforcement – The European Commission Offers New Resources and Suggests Prompt Action

Client Alerts Privacy & Data Security

PDF icon

According to the ominous countdown ticker on the European Commission (EC) website, there are only 121 days until the General Data Protection Regulation takes full effect on May 25, 2018.  In a press release today, the EC announced a new online resource to help member states, citizens, and businesses understand and implement the regulation. The resource includes content geared toward businesses, with a breakdown of many key decision points, questions and answers, examples, and references.

The online resource is helpful because it provides straightforward answers to many of the complicated questions organizations are trying to address. The responses also include examples that help clarify how the requirements apply to different types of transfers and organizational arrangements. For instance, one response provides an example scenario for each legal basis by which an organization is permitted to process personal data.  Most of the responses include these useful hypothetical scenarios and also cite relevant parts of the GDPR and Article 29 Working Party opinions.

The EC also recapped the intended innovations and “opportunities” the regulation will provide, including facilitation of data flows to foster business opportunities and better protections for European residents. As a reminder, some of the more impactful “opportunities” for organizations include:

  • Single Source of Standards—a single set of data protection requirements will apply across the continent, allowing for a more standardized approach to compliance
  • Stronger Rights for Citizens—organizations must be able to observe individual rights such as the right to access their data, the right to be forgotten, and the right to transfer all of their data to another organization
  • Breach Notification—notification of a data breach is required in as little as 72 hours
  • Strong Deterrents—data protection authorities can impose fines of up to €20M or 4% of an organization’s global annual revenue, whichever is greater, for some types of GDPR violations

The EC also called upon member states and their data protection authorities to be prepared for the upcoming effective date and to speed up the process of implementing the regulation.  Member states were also directed to ensure their national authorities have the necessary resources (both human and financial) to guarantee their independence and efficiency. The EC made clear that it has earmarked sizable funds for training data protection authorities and professionals and to support national authorities in reaching out to businesses.

The EC training materials, fact sheets, and other resources emphasize that each party has a role in effective implementation and application of the GDPR, including member states, data protection authorities, businesses, and citizens. Beginning this May, the EC will monitor how member states apply the requirements and if necessary, will apply infringement proceedings against member states that fail to adhere to the regulation. Both member states and businesses can expect scrutiny after the May 25, 2018 compliance date.