You have heard 25 May 2018 and GDPR a million times in the past months and not many times the correct information regarding that date has been provided to you. I am sure you have received dozens of emails in the past weeks asking you to (re-)consent to a certain type of processing followed by some tailored information. This is what it all means…
The GDPR as you know is the EU-wide directly applicable legislation (a regulation as opposed to a directive, that means “in theory” unification unlike harmonisation) that grants individuals ie data subjects more control over their personal data whether the data are already with a data controller or processor (eg Google, LinkedIn, Facebook, Whatsapp, recruitment agencies, online stores and many more) and/or when new details are required from individuals. No need to explain now what controller or processor mean as those concepts are mainly for lawyers and IT teams, however, it is important to emphasise that you can only enforce your rights against a controller (mainly the company that you provide/d your details to).
You must have noticed I said “in theory”, that is to signify that unification will not be achieved as the GDPR leaves a fairly wide margin of manoeuvre to Member States to derogate or legislate in certain areas eg that is why in the UK the Data Protection Act 2018 will be relevant but the main piece governing the area is the GDPR (as the EU could still decide a Member State has legislated in a way incompatible with the GDPR). National laws will be valid only if they comply with the GDPR.
National data protection legislation adopted by 25 May
The GDPR leaves room for Member States to adopt national legislation further specifying requirements for the application of certain articles, or derogations, etc. When adapting their national legislation, Member States cannot issue national measures which would result in the creation of an obstacle to the GDPR direct applicability and jeopardise its application in the EU as that would be contrary to the Treaties. Repeating the text of regulations in national law is also prohibited (eg repeating definitions or the rights of individuals) unless such repetitions are strictly necessary for coherence and/or to make national laws comprehensible to those to whom they apply. Should a discrepancy arise, as per primacy of EU law, the GDPR takes precedence. Therefore, ensure that you have at least one member (in your Privacy council or Data protection team) that fully understands EU law and its implications for companies.
The interpretation of the GDPR is left to the European courts (ie national courts acting as EU courts and ultimately the CJEU) and not to the Member States’ legislators.
If Member States do not take the necessary actions required under the GDPR, are late in taking them or make use of the specification clauses provided for by the GDPR in a manner contrary to it, the Commission will make use of all tools it has at its disposal, including commencement of infringement procedures. As of 22 May just a few Member States have adopted national laws adapting their legislation to the GDPR eg Austria, Germany, etc. The UK’s DPA 2018 is set to be given Royal Assent on 23 May so we can expect the UK to be compliant by 25 May but Spain will not meet the deadline.
For more information on this see point 3.1 of the Commission Communication of January 2018 – COM(2018) 43 Final.
Entry into force versus enforceability
The GDPR states: “This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the EU. It shall apply from 25 May 2018″. It was published on 4 May 2016 so it has been in force since 25 May 2016. The application date in this context (similarly to what happened to MiFID II where more dates came into play ie entry into force, transposition and application) means enforceability. In other words, the starting point to assess non-compliance. Organisations and all those directly impacted by it have had two full years to adapt to the new framework (ie re-write their internal policies and procedures, enhance or create processes to deal with data subjects requests, embed data protection into their corporate cultures and into the new products under development, re-write information notices and contracts, etc). So no, the GDPR will not enter into force on 25 May, it will become enforceable.
What will happen on 25 May?
On the surface not much. You will not see news about Data Protection Authorities (DPAs) officers – eg ICO, CNIL, AEPD, etc. – raiding or auditing any company – like Cambridge Analytica. It is not doomsday.
What you may experience though, as data subject, is an urge to write to those companies you have not heard from – and you know they have your details – with the aim of exercising your rights or, if you are at the other end, you may receive a lot of subject access requests and you need to be prepared to act as your time is limited (generally one month). If you do not process the requests on time a complaint may be lodged with your national DPA and then the fines we all have heard about may become real.
25 May marks the start date of you as an organisation to prove your commitment to your customers/users, to show them [or your DPA, as the case may be] you are protecting personal data in a fundamentally new and enhanced way. You need to do your outmost to comply.
What have the DPAs said will be their approach to compliance?
The IAPP has published some quotes of the approach some DPAs will take from 25 May and it is quite an interesting read. While some DPAs focus on proper enforcement ie warning non-compliant organisations that heavy fines will be issued, others seem to focus on assistance to companies that are still struggling to meet their obligations on time. All have clearly said that non-compliance will not be tolerated so your safest bet is to ensure you are compliant.
National versus international customers or users
Whilst you may be tempted to rely on the statement of your home DPA you should not forget that different processing activities may have different controllers and not necessarily fall under your “home” DPA competence. What I mean by this is that you may be established in the UK but serve customers in France (or other EU countries). For a particular processing operation you may be “established” in France so you should pay attention to the approach the French DPA will take not only the ICO (UK). If you are certain your activities do not extend beyond the UK you can, to start with, keep an eye on the ICO website. Rule of thumb: check the approach of the DPAs that “may” be competent for processing operations you carry out or outsource.
The not-so distant future
The GDPR contains a few mechanisms to align DPAs positions across the EU and those are most certainly going to be used. So even if in the beginning the DPAs may take different and possibly conflicting views sooner or later the European Data Protection Board (the EU overseeing regulator) will take action to ensure the overall aim of the GDPR is fully respected across the EU.
As regards Member States’ compliance the EU Commission has stated it will use all means to ensure they adopt those national rules that the GDPR requires so we can expect infringement procedures being launched soon after the end of May. What is crucial to understand is that from 25 May until those national measures are adopted and in force national data protection laws adopted under the DPD 95/46/EC will not be the applicable legal framework but the GDPR instead.
The way personal data is handled in the EU (and overseas – as per extraterritorial arm of the GDPR) has changed and you can no longer look the other way. Approach your home DPA and ask for advice if you are still unsure (though I hope you know what to do by now), engage with your customers/users in a positive way after all if you keep them happy you have a massive base for referrals and growth for your company, monitor industry best practices and codes of conduct as they will provide valuable information and always check EU guidance (and infringement procedures) on the matter.