EU General Data Protection Regulation applicable as from 25 May 2018: an implementation plan for data controllers, processors and EU Member States for the next two years
The long awaited General Data Protection Regulation (EU) n° 2016/679 ("GDPR") has been finally published on 4 May 2016 and will be applicable as from 25 May 2018. Two years until the entry into force may seem a long period, but it is not if one considers the immense compliance gap most undertakings or organisations that are personal data controllers and processors must close in the meanwhile. Indeed, the GDPR will, among other things, need a thorough review of business processes in order to assure the mapping of all relevant personal data processing activities and flows within an organisation, as well as the review of the data controller's general terms and conditions, consent and privacy disclaimer language and data processing agreements.
Furthermore, not only the data controllers and processors are affected by the deadline of 25 May 2018. Also the EU Member States are given numerous points that still must be implemented by them (specific rules applicable in the context of an employment relationship, scope of the exceptions to the data subject's rights, list of events triggering a data protection impact assessment ,…). They should do so soonest as it is only upon their implementation of these points that data controllers, processors and data subjects have a full view on the applicable data protection regulatory framework.