Effective Date Set for EU General Data Protection Reg

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

May 4 — The final text of the European Union General Data Protection Regulation (GDPR) was published May 4 in the EU Official Journal and will apply across the bloc's 28 member states May 25, 2018.

“The GDPR presents new risks and challenges for businesses operating in the EU and, in some cases, for businesses operating outside it,” Philip James, a technology partner at Sheridans in London, told Bloomberg BNA May 4. “Data protection should now be treated as a core business risk,” he said.

The GDPR (Regulation (EU) 2016/679) will replace the EU data protection directive (95/46/EC), which will be repealed May 25, 2018.

The GDPR applies to all commercial processing of the personal data of EU data subjects, wherever that processing takes place. The regulation also introduces new and reinforced rights for data subjects, such as rights to portability and erasure of data, and allows for high fines in case of privacy breaches.

The European Parliament April 14 finalized the more than four-year process to amend and negotiate the GDPR, after it was proposed by the European Commission—the EU's executive arm—in January 2012 (15 PVLR 791, 4/18/16).

Culture Change

James said companies affected by the regulation should “develop and undertake an ongoing data protection audit framework, review supply chain management and change existing culture and processes to meet the requirements of the new law.”

“Of all of these, cultural change will be the most difficult,” he added.

The EU Official Journal May 4 also published the finalized texts of the directive on the processing of personal data for law enforcement (Directive (EU) 2016/680) and a directive on the use of airline passenger name record (PNR) data for law enforcement (Directive (EU) 2016/681).

The law enforcement data directive requires EU member states to adopt its provisions by May 6, 2018, while EU countries must adopt the provisions of the PNR Directive by May 25, 2018.

Both directives were finalized April 14 by the European Parliament alongside the GDPR (15 PVLR 843, 4/25/16).

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com

For More Information

Full text of the official journal publication is available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC.