The past several days, the GDPR (the EU General Data Protection Regulation) took two significant steps towards adoption. On Friday, April 8, 2016, the European Council adopted the GDPR at first reading. Then today, Tuesday, April 12, 2016, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (the LIBE Committee) approved the GDPR by a 54-3 vote with one abstention. The European Parliament is due to vote on the GDPR in a second reading at a plenary session this coming Thursday. That will complete the legislative process for adoption of the GDPR. The final step will be for the GDPR to be published in the Official Journal of the EU which will likely take place in May 2016. After publication, the GDPR will apply two years after the date of publication, allowing companies and regulators a grace period to prepare. The interpretation of the GDPR will be shaped by guidance from the new European Data Protection Board.
Businesses now need to seriously consider the impact of the Regulation and its stricter requirements, and begin planning for implementation. A first step would be for businesses to consider whether they are subject to the expanded jurisdiction of the Regulation, and if so, carry out an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning, reviewing existing data protection notices and consents, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and appointing a data protection officer.