Countdown to the General Data Protection Regulation (GDPR)
On May 25 2016, the General Data Protection Regulation (GDPR) became mandatory, having been published in the Official Journal of the European Union three weeks earlier. The regulation established a term of two years within which members states and businesses could adapt to the new regulation and prepare for its compulsory application by 25 May 2018.
What were countries and businesses over the last two years expected to do?
Countries had little to do in this regard as the GDPR is the kind of regulation that is directly applicable to all EU member states, and therefore, there is no specific mechanism in place for transposing it. In other words, there is no need for a Spanish law to make the European Regulation compulsory, because it is directly enforceable, just as if it were a national law. However, the GDPR is a somewhat special case as its actual content does allow EU countries to make a number of specific decisions on a few issues and so it has provided some leeway for a number of points to be specified.
Businesses however, have had plenty to d o over those two years. The significant change of approach in the strategy for complying with personal data protection requirements deriving from the GDPR means that they have had to undergo extremely significant changes that have affected internal procedures and specific obligations in order to comply with the regulation (the principle of accountability or proactive responsibility, ie I have to comply and I must demonstrate that compliance). In many cases, the changes may actually affect corporate organisation, for example, those companies that are required to appoint a Data Protection Supervisor. Clearly, these processes are lengthy and complex, with tasks that in many cases entail considerable financial outlay.
At the time of writing, there are only 3 months to go before the magical deadline. And we could venture to say that little that has been done to date to ensure that member states and businesses will be in full compliance with the norm by 25 May 2018.
In legislative terms, and focusing on the Spanish case, the new draft Data Protection Law (yes, we shall continue to have a LOPD but it will be completely different from the present act) is going through parliament via the ordinary channels, having ruled out any urgent passing of the bill. This means that in terms of time frames, it is unlikely that we will have an LOPD adjusted to the GDPR by 25 May 2018. However, as mentioned at the start, this does not imply any advantage or inconvenience, as the European regulation will be fully enforceable anyway.
At a business level, many companies are already in the process of adapting to the GDPR but there is no shortage of those that have not even begun to work on this project. These companies now have just four months of intensive work and decision making remaining, unless they want to be in a precarious position from the 25 May should they fail to act. The risk, as most of them are aware, is that they may be penalised with fines established under the GDPR (involving extremely substantial sums). However, there is above all a risk to reputation. In the current context of digital economy, where the public image of any business could be considerably affected (to its advantage or detriment) by the actions of social networks, the ability to be identified as a responsible company in privacy matters could be a prerequisite for a maintaining a good reputation with the public; and conversely, a business that is known for its irresponsible approach to privacy could be seriously penalised.
However, an optimistic message is still possible in this regard. Yes, there is not much time left, but nevertheless, it is still possible to comply with the deadline in May 2018 and to have our homework done, or more or less completed. It is a question of getting started and taking a firm and decisive path.
Alejandro Padín, counsel of Corporate Department in Garrigues Madrid