If you glance at the “countdown clock” in the left hand sidebar of our blog, you’ll see that it has reached 00:00:00. GDPR Day is here. But, unlike Y2K (for those of you old enough to remember the near-hysteria), 25 May 2018 is only the beginning of the GDPR compliance road and not a “completion date.” It’s more like the new Sarbanes-Oxley.
Over the coming days and weeks (and months) ahead, we’ll be writing about compliance challenges being faced and discussing some of the misconceptions (and outright misstatements) that are percolating around GDPR, its application, and its requirements. We will also be closely following developments in the EU with respect to enforcement actions, member state laws following GDPR, and new guidance from the European Data Protection Board (EDPB) that just completed its first day of work today.
According to the new chair of the EDPB, Andrea Jelinek, Head of Austria’s Data Protection Authority, the Board is fully functioning, despite the fact that not all EU member states have caught up. According to the chair, the EDPB and national Data Protection Authorities have already received their first complaints regarding consent. The Board has adopted new guidelines on consent and certification.
As we’ve reminded our readers and attendees at our webinars many times, Jelinek said that there is no grace period as companies have had two years to prepare for the GDPR, but the DPAs would follow the proportionality principle when issuing fines.
The countries that have so far adopted new national laws include Germany, Austria, Slovakia, Denmark, Sweden, UK, the Netherlands, Poland, Italy, Belgium, Ireland and Croatia. France has adopted an Act but it is now under constitutional review. Jelinek said it is up to the European Commission whether to launch infringement procedures on the countries that have missed the deadline.
The GDPR is a game changer. Welcome to the new world of data protection.