General Data Protection Regulation Update -

As reported in the April Locke Lord Privacy & Cybersecurity Newsletter, the European Parliament gave the final approval to the General Data Protection Regulation (GDPR) on April 14, 2016. The final text of the GDPR was published in the Official Journal of the European Union on May 4, 2018, and the GDPR will come into force in all EU Member States two years and 20 days after its publication, that is on May 24, 2018. The final text of the legislation can be accessed on the website of the European Commission here, and a summary of the key features of the GDPR are set out in a recently published Locke Lord article, accessible here on the Locke Lord website.

Although the GDPR will not apply to Member States for another two years, there are a number of steps that organisations can, and indeed should, be taking now in order to ensure that they are compliant when the time comes, including the 12 steps outlined in the UK Information Commissioner’s Office (ICO) publication “Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now.” The note from the ICO emphasises (amongst other things) the importance of an organsiation understanding what personal data it holds, where it came from and who it is shared with; ensuring that it has the appropriate consents for obtaining and using personal data; and ensuring that appropriate procedures are in place for the secure storage of, and timely deletion of, personal data. As the ICO points out, many of the obligations in the GDPR are substantially the same as those in the UK Data Protection Act 1998, and so organisations that are already compliant with the current data protection law.