There has been lots of discussion and speculation about the General Data Protection Regulation (GDPR) and the changes it will make to data protection and privacy laws. However, to date it has only been available in draft form and so whilst writers may have had an idea what the changes may be, they haven’t been able to say with certainty what it will mean for businesses.
You may have seen the news that it has now been “formally adopted” by European Commission. But this doesn’t mean it has become law immediately, so don’t get excited by headlines about individuals having a right to be forgotten just yet!* The GDPR will enter into force 20 days after its publication in the EU Official Journal, which hasn’t happened yet, and you must conform to its provisions two years after this date. So until it’s published there isn’t a set date for when it will start applying, but we’re inching ever closer to knowing when that will be!
Two years may seem like a long time away but the GDPR has been described as a complete overhaul of EU data protection rules and at apparently over 200 pages long, there’s a lot for our clients (well us!) to digest. Keep your eyes peeled for the date to put in your diary and for updates about what the GDPR means for you and your business.
* (There is some suggestion that this right already exists following a case in 2010 however this was specific to search engines. There is also a principle underpinning this new rule which relates to an existing principle of data protection law that data should be deleted once it’s no longer necessary for the purposes for which it was collected – so some have suggested that under this individuals could ask that their information be deleted. The European Commission press release however does refer to it as a “new” right.)