After four years of discussions – and no doubt many head-desk moments – the Official Journal of the European Union has published the General Data Protection Regulation (GDPR).
This replaces the 1995 Data Protection Directive.
The distinction between “Regulation” and “Directive” is an important one. The previous directive was just that – a document to direct EU member states in the formation of national legislation pertaining to data protection.
The regulation differs in that it is directly applicable to all member states without the need for legislation on a national level.
Although there remains a small degree of latitude on certain matters for individual states, the overarching impetus of the regulation (aside from strengthening personal data rights) is harmonisation across the Union and removal of legal uncertainty.
The GPDR will come in to force on 24th May 2016 and companies are being given two years to ensure compliance.
Two years may sound a long time, but at 260 pages – comprising 99 Articles and 173 Recitals – this truly is an all-encompassing game-changer.
With headlines focusing on the eye-watering punitive penalties for non-compliance – 4% of annual global revenue or €20 million, whichever is greater – worries, myths, confusion and uncertainty have taken root.
And if you’re secretly hoping a Brexit vote might let us off the GDPR hook; think again.
Whilst the dust settles and the legal eagles get their heads around the legislation, the books are written and training courses designed, my advise is to grab a copy of the GDPR for yourself and have a read:
It’s really not so bad. In fact, it’s rather enjoyable – Caveat: I might just be deviant.
I’d also suggest watching the GDPR hastag on Twitter. Make sure to sort the wheat from the chaff; but overall, a good source of information.
I will be blogging quite extensively on the GDPR moving forward.
In the meantime, here’s an irrelevant word cloud lifted from the document for my own entertainment. Click to enlarge.