The General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union in Spring 2016, starting a countdown of just more than 2 years until its effective date.
When publishing, we are less than 1 month away from that date, which should be familiar to many by now: 25 May 2018.
Tughans has been working with a very wide range of clients on GDPR compliance projects for some time now, with our deliverables ranging from discrete pieces of advice, to drafting contract addendums and privacy policies right through to assistance with organisation-wide projects to discern how personal data is collected, used and exported, then rectify any gaps in compliance.
A frequently asked question (by clients and lawyers alike) has been whether GDPR is another Y2K?
Whilst it could be understandable to draw parallels (in light of the accompanying fanfare), that question has to be answered “No” because, whilst Y2K was a single point in time, in less than a month’s time GDPR will be here and here to stay for the foreseeable future (regardless of Brexit).
Further, given the recent media coverage of various unsuspected uses of personal data, it should be safe to assume that EU citizens will be alive to how their data is used, on the lookout for how it may be misused and more aware than ever of their rights and how to use them.
Staring down the imminent effectiveness of the greatest evolution of data protection law in decades, there may be some temptation to think that there is too much work to do. However, the amount of work there is depends on how data protection has been approached over the last 20 years. There are many, very significant, amendments being brought in by GDPR, but the key concepts of data protection remain the same; so some organisations may be further down the road to compliance than anticipated.
For those who think it is unlikely that they could comply with GDPR before 25 May 2018, it should instead be remembered that it is not a countdown to obtaining compliance, but a countdown to the day after which organisations will be expected to maintain compliance.
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.