The European Parliament has today adopted the data protection reform package, including the General Data Protection Regulation (GDPR). This follows adoption by the European Union’s Council of Ministers on Monday and brings the European legislative process to a close.
This last step has started the clock ticking towards a deadline for compliance by organisations anticipated to be in Summer 2018. There isn’t a firm date yet because the final text will need to be translated into the EU’s official languages and published in the Official Journal first.
Adoption of the package has been long trailed for organisations. Back in December 2015, Steve Wright, Chief Privacy Officer at Unilever, described the need for organisations to get ready for compliance as “urgent” and the Information Commissioner’s Office (ICO) has recently published a helpful 12-step checklist urging organisations to prepare for the changes.
One question that has come up repeatedly is whether there is any point in delaying compliance until the outcome of the EU referendum in June. The ICO has strongly encouraged organisations not to delay as it means losing valuable compliance time.
Even in the event of a Brexit vote, failure to prepare for GDPR will look short-sighted.
There will be a two-year lead-in time to the formal exit process, but renegotiating third-party-status treaties will likely take longer than that. In the meantime, organisations will still need to do digital business with the rest of the EU with some level of certainty. In practice, this may mean adopting a common position on data protection, or at a minimum providing assurances in line with those offered by the US in the context of the EU/US privacy shield.
More interestingly, should we read into the ICO’s encouragement a suggestion that, absent the GDPR, these are rules we might look to invent for ourselves anyway? As Daniel Greenberg pointed out in a recent article on legislative policy making, our governments will need to get policy from somewhere.
Also of interest to those watching this space is the fact that, now that the GDPR is almost agreed, the Commission has decided to launch its a consultation on the E-Privacy Directive. It is shaping up to be a busy Summer.