Time’s Up! The GDPR is Now in Full Effect
The last two weeks have been met with varying degrees of panic by companies big and small trying to finalize GDPR compliance before the new legislation’s enforcement on 25 May 2018. What feels like a million emails were sent with updated privacy policies and requests for continued subscription. But now that the dreaded deadline is here, how will companies fare in this brave new GDPR-compliant world? Let’s have a look at some of the key factors to consider.
A country by country case
As a regulation, the GDPR is applicable across all member states without the need for each country to pass national laws. However, each member state has its own data protection laws which will need to be aligned to the GDPR.
The new regulation also contains more than 70 opening clauses which allow member countries to modify the provisions set within them to implement stricter or laxer rules than those set out in the respective articles of the GDPR. These opening clauses include, among others, the rules governing the appointment of a data protection officer, the age of consent of children and data breach notification obligations.
While 9 out of the 28 member states have so far passed laws to update their existing data protection legislation and take advantage of the possibility to apply the GDPR to their local context, the remaining 19 have only presented drafts of their proposed amendments, with a few rushing to submit them in the last weeks leading up to the GDPR implementation deadline.
Theoretically, the GDPR is in effect across Europe as of today and, as a regulation, is enforceable in any EU state. Practically, enforcement of the GDPR will be carried out by national Data Protection Authorities which might prove difficult for those without clear guidelines as to how they will go about implementing the GDPR at local level.
A period of lenient enforcement
The few countries that have passed laws for the integration of the GDPR into their national data protection legislation and clarified its opening clauses, have been faced with a decision concerning the level of enforcement they will apply come May 25th. EU Justice Commissioner Věra Jourová encouraged member states to allow for a period of adjustment and tolerance of up to two years for companies still working on their GDPR compliance.
France’s Commission nationale de l’informatique et des libertés (CNIL) promised a zero-tolerance approach to those that fall short of fundamental data protection principles already in place before the advent of the GDPR. It has announced however that it will take a more lenient approach to the new rights and obligations introduced by the GDPR in the first few months after the implementation deadline as long as companies can prove they have taken steps towards compliance.
In the UK, the Information Commissioner’s Office (ICO) has also talked about the need to first engage, educate and encourage companies on their journey towards compliance before resorting to the punitive powers granted by the GDPR.
In Germany, where data protection enforcement is divided between national and state authorities, attitudes vary, with the northern areas, such as Hamburg and Schleswig Holstein being on the side of immediate enforcement and the southern Bavaria and Baden-Württemberg taking the route to leniency.
Power to the user
Ultimately, the GDPR is a legislation that benefits EU data subjects the most. While national data protection authorities have taken different stands when it comes to the immediate enforcement of the GDPR, what is likely to prompt their first actions will be the number of complaints they will receive from data subjects.
If users will be eager to request their new rights to be forgotten, transfer their data or object to the processing of their data etc. and companies will fail to meet them, they will then be able to lodge a complaint with a DPA. The authorities will be obligated to investigate the matter and respond to it. That is the most likely way companies will start being red-flagged for GDPR non-compliance.
While the DPAs are currently advocating for tolerance and an approach of education and engagement, what will happen when an EU data subject’s rights will be violated and they will have grounds for legal action? Will the authorities still use the carrot, or will they move on to the stick? The next six months are sure to provide us with an answer.