The European Commission's GDPR, which was adopted earlier in April and will start being enforced in 2018, is aimed at improving data handling and privacy for EU citizens (regardless of where they are based) and EU residents.
The GDPR represents a significant change for businesses, with failure to comply potentially resulting in penalties of EUR 20m or 4% of revenues (whichever is higher).
Yet, to the consternation of businesses, there is continued ambiguity in the regulation. The 2 year grace period is therefore likely to be a dual process of understanding the rules correctly, then ensuring they are implemented.
There are several key issues that have yet to be clarified in regulations including: how a company will consult with a lead data protection authority, how they can protect their intellectual property while meeting the mandates of the regulation and how data consent can be granted, experts said. In the meantime, businesses should be implementing the overarching elements of the law while monitoring the elements that are being refined during the two-year grace period, said Mary Hildebrand from law firm Lowenstein Sandler. “Compliance with GDPR for many companies will require extensive re-engineering,” she said. “We can only be guided by the legislation as it exists, and it’s a challenge without appropriate guidance to jump from the high level to the granular detail in order to comply.”