We have reached half-time in the preparation period for the application of the GDPR (EU’s new General Data Protection Regulation). From May 25, 2018, GDPR will be directly applicable in all EU Member States.
Below I have collected some of the issues that may arise in connection with the preparation.
Is the remaining time enough for the preparation? Shall we hurry or do we still have some time to start preparing?
One year may look like a long period, but it is worth starting the preparation as soon as possible if it has not already been commenced.
GDPR itself is substantial reading, with its 99 articles and a very detailed preamble. Accordingly, all data controllers and processors need time to understand exactly what obligations they have under the GDPR and what tasks they have to cope with.
The preparation is ideally a multi-step process: in the first round, it is advisable to review and evaluate what kind of data processing is carried out, for what purposes and for which personal data. The data processing activities in progress need to be reviewed and the new rules should be taken into account when data processing activities are planned.
After the data processing activities are mapped, it is necessary to examine exactly what obligations must be met for data processing with different purposes and legal bases.
If this task is done, it is time to review existing data processing policies, information sheets, contracts with data processors and other documents in order to meet the legal requirements.
Do not forget that preparation is not just a legal task but, in many cases, it includes IT development, organizing and conducting internal training and many other things. These can also be time-consuming tasks.
Some of the data protection authorities from different Member States try to help in the preparation process with step plan instructions. It is also worth considering these before we start the preparation work. (These were collected in a previous post here.)
While GDPR is directly applicable in the Member States, the legislators in the Member States have tasks to do in the remaining time. For some issues, GDPR itself gives room for further legislation in the Member States (e.g. regarding the extension of the obligation to appoint a DPO - Article 37 (4) GDPR; the age limit for children, which is not subject to parental consent, can be decreased at Member State level to the age of 13 - GDPR Article 8 (1)). In other cases, Members States may adopt provisions on issues that are not regulated by GDPR or provisions superseded by GDPR should be repealed.
Until the adoption of the respective national laws there are unknown factors, but the rules of the Regulation cover may aspects of data processing activities, so the number of unregulated issues is not so great that it would exclude the start of preparation. Moreover, Member States are not in a hurry to make the relevant rules - so far only a few drafts have been published (e.g. in the Netherlands, Austria and Ireland). In Germany, the new Federal Data Protection Act was approved on May 12 and now it waits for the signing of the Federal President.Therefore, it is unlikely that the picture will be completely clear before the spring of next year. However, with the start of preparations we cannot wait so long, otherwise we would run out of time.
The interpretation of the text of the Regulation also raises many questions. Fortunately, guidelines and opinions are continuously published. (See our previous post regarding this topic here.) These materials help a lot in getting a clearer picture.
Does the Regulation apply to SMEs as well?
Just as the current data protection regime applies to all data controllers and data processors, GDPR also applies, in principle, to all data processing, including data processing activities carried out by small businesses.
However, it is worth studying the Regulation because it seeks to take into account the particular situation of micro, small and medium-sized enterprises, such as the obligation to keep records. It also cites the Preamble to the Regulation (point 13) that "the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation."
What if you fail to prepare for May 25, 2018? Will there be a grace period?
By providing two years of preparation time from the entry into force of the Regulation, the legislator gives everyone the opportunity to take the necessary steps to apply the Regulation by May 25, 2018. Thereafter, the Regulation does not provide for a special grace period. Of course, as in the case of the entry into force of any new legislation, there will be a number of practical issues and difficulties in the application of GDPR, but all efforts must be made to be prepared by the end of May next year.