The European Union's General Data Protection Regulation (GDPR) is set to be finalised this week.
Last Wednesday, April 6th, the Council of the European Union published what will most likely be the final text of the GDPR, which has now been translated into each of the official languages of the EU. This formal adoption comes 5 months after the release of the compromise text which was agreed with the European Parliament in December 2015. The Committee on Civil Liberties, Justice and Home Affairs (LIBE) will vote today, April 12th, to confirm its approval of the text, ahead of the European Parliament plenary vote which is expected to take place this coming Thursday, April 14th. It will then be published in the Official Journal of the European Union (OJEU). Exactly two years after the date of publication in the OJEU, the Regulation will then enter into force simultaneously across the EU Member States.
This, however, is not the end of the journey for everyone involved at each end of the data protection spectrum. On the contrary, the implementation phase now begins: a two-year period in which organisations in the public and private sector will have to ensure that they comply with the new set of rules by the time the GDPR enters into force in 2018. It is also important to note that the GDPR will impose obligations on Data Processors for the first time – under the current law, only Data Controllers are directly liable for data breaches.
The GDPR aims at both enhancing the level of data protection for individuals whose personal data is processed by public and private sector organisations, and increasing business opportunities for private sector organisations in the digital single market by way of a streamlined administrative structure. This will be attained via:
• An definite, guaranteed standard of data protection for individuals
• Increased business opportunities in the digital single market
• More and better general tools to enforce compliance with the data protection rules
• Guarantees on the transfer of personal data outside the EU
• Compliance inherent in organisations via the appointment of a Data Protection Officer
• Compliance inherent in organisations via Privacy Impact Assessments
We are Sytorus have been preparing for the arrival of the GDPR for some time now and are ready to assist your organisation, whether you are a Data Controller or Data Processor, become compliant with the many new rules and obligations which are contained in the 260-page document. National Data Protection Authorities throughout the EU, as well as the Article 29 Working Party and the European Data Protection Supervisor, will be issuing guidelines and opinions in the next months, to assist organisations in their preparation and we will help navigate you through these unchartered legislative waters. For the first time, a clear set of rules will be put in place regarding data protection compliance standards. Crucially, these rules will also be reinforced by specific penalties in the shape of clearly defined fines, and the possibility of criminal and civil prosecution for Data Controllers and Data Processors who break the law.
The final text of the GDPR is available here.