On January 24, 2018, the European Commission (“EC”) published additional guidance (“Guidance”) to facilitate the implementation of the General Data Protection Regulation (“GDPR”), which will become effective on May 25 in all 28 EU Member States. In its Guidance, the EC outlines, inter alia, the remaining “to do’s” of the different stakeholders for becoming GDPR-compliant. The EC also launched a new Online Tool to help citizens and businesses comply with and benefit from the new data protection rules.

About 100 days before GDPR’s effective date, speeding-up the implementation process seems vital. Recent studies revealed that, to date, only a small number of companies seem to have done their homework. In particular, small and medium sized companies (“SMEs”) are considered to be behind schedule.

For example, in Germany, according to recent estimates, only about half of the affected companies seem to have undertaken the necessary steps to become “GDPR-ready” in time. This exposes companies to a significant liability risk. At the beginning of February, German Member of the European Parliament Jan Philipp Albrecht, one of the architects behind GDPR, warned companies in an interview in a German online magazine about the consequences of ignoring GDPR requirements: With respect to enforcement, there “will be no pardon” after the GDPR’s effective date.

But even most of the Member States are behind schedule. Although GDPR will be directly applicable in all Member States, i.e., unlike a European directive, Member States must not transpose GDPR into national laws, GDPR still requires significant adjustments to existing domestic privacy laws. For example, Member States need to specify the application of data protection rules in specific fields such as in the public sector and in the areas of employment and social security. Member States must also set up national data protection authorities, choose an accreditation body, and lay down the rules for the reconciliation of freedom of expression and data protection.

So far, however, only Germany and Austria have enacted their own legislation (we reported on the German legislation here). In its Guidance, the EC has already indicated that it “will make use of all the tools it has at its disposal, including recourse to the infringement procedure”, if Member States do not take the necessary actions required under GDPR.

For the time being, however, the EC is attempting to facilitate the further implementation processes by a series of measures outlined in the Guidance, inter alia, by providing an additional EUR 1.7 million. funding to Member States that can be used to provide training to data protection authorities, public administrations, legal professions and data protection officers. An additional EUR 2 million of spending is also foreseeable to provide 80 percent co-financing to measures taken by data protection authorities in 2018-2019 to raise awareness among businesses, in particular SMEs, and reply to their queries.

With respect to the Brexit, the EC advised in its Guidance that it wants to ensure that the provisions applicable on the day preceding the withdrawal date continue to apply to personal data in the United Kingdom processed before the withdrawal date. The EC clarified, however, that after the UK leaves the EU, the rules in GDPR for transfers of personal data to third countries will apply to the United Kingdom unless any transitional arrangement can be reached.