The talking is done and the General Data Protection Regulation is finally on the way.
Following three years of negotiations EU officials have this week finally agreed on the wording of the new General Data Protection Regulations (GDPR).
Ultimate approval by the EU Parliament at the end of this month is now a formality.
From that point, there will be a two year grace period for organisations to 'get their houses in order', following which time the GDPR will replace the 21-year-old Data Protection Directive and become law in all 28 EU Member States as well as in Iceland, Lichenstein and Norway. Moreover, the GDPR will be directly applicable in all Member States and will not require any conversion into national law, unlike the 1995 Directive which was not incorporated into Irish law until 2003.
It remains to be seen how strictly the authorities will enforce compliance with the new law. Nevertheless, organisations are advised to start preparing and, where possible, implementing data protection strategies into their structures on the basis that regulators such as the Office of the Data Protection Commissioner will aggressively police private and public sector bodies once the GDPR becomes law.