Tuesday, May 29, 2018
General Data Protection Regulation Arrives, Ready or Not
On May 25, after advance notice that gave companies two years to bring their practices and policies into compliance, the EU’s General Data Protection Regulation came into effect. From all reports, the majority of US firms still have a lot of work to carry out to achieve compliance. At the same time, EU member states were equally lax, with only 11 meeting the deadline for enacting legislation reconciling their Directive-era data protection laws with the Regulation. Only Germany, Austria, Slovakia, Denmark, Sweden, UK, the Netherlands, Poland, Belgium, Ireland and Croatia met the deadline; France did adopt a new DP law but it was immediately placed under constitutional review. The 16 member states failing to implement the Regulation are technically subject to infringement proceedings by the European Commission, although such proceedings are unlikely given the fact that the Regulation itself came into immediate effect in each member state. Rounding out the unreadiness of US firms and member state legislators was the lack of preparedness of regulators. Seventeen of 24 DPAs responding to a Reuters survey in early May said they lacked the necessary funding, or would initially lack the powers, to fulfill their GDPR responsibilities. GDPR compliance and enforcement are clearly works-in-progress.