After nearly 4 years of negotiations, yesterday evening the EU reached agreement on the final provisions of its new data protection laws. With it, a new era of data protection has been ushered in that will have far reaching consequences for organisations both inside and outside of the EU.
In January 2012, the European Commission put forward its proposals for data protection reform, which included text for a new General Data Protection Regulation. Following negotiations this year with the European Parliament and the Council (the so-called 'trilogues' meetings), the three institutions reached final agreement on the Regulation's provisions late last night.
Following political agreement reached in trilogue, the final text of the Regulation will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will come into force two years thereafter.
For organisations now is the time to start planning for compliance and working effectively over the next two years to be ready for what is a much stricter privacy regime. In particular, US based organisations and other organisations based outside of the EU should start to assess the impact of being subject to the Regulation when offering services in the EU.
Organisations should start their compliance preparation by assessing their existing approach against good industry practice. Those organisations that are already developing privacy programmes or have implemented good privacy frameworks are likely to be well placed to meet the Regulation's requirements.
We will continue to provide specific updates on individual parts of the Regulation. However, in the interim if you would like to discuss the status of your existing privacy controls and how these should be developed in anticipation of the Regulation, please feel free to contact one of our Cybersecurity and Data Privacy team members.