25 May 2018

"Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning." (Churchill)

The General Data Protection Regulation (GDPR) is in force today, 25 May 2018. After a late flurry of activity in Parliament the UK's Data Protection Act 2018 (DPA 2018) is also now in force. Together, these new laws overhaul the rules relating to the protection and use of personal data. They require organisations in the public and private sectors to adopt an ongoing and risk-based approach to the protection of data relating to identifiable, living individuals.

Many headlines have focused on the significantly increased fines and enforcement measures available to data regulators. The maximum financial penalty is now €20 million or 4% of an organisation's annual global turnover, whichever is the higher. Regulators can also make "stop now" orders, with the potential to close down a non-compliant business. However, data regulators including the UK's Information Commissioner's Office (ICO) have emphasised that the most severe enforcement measures will be a last resort. The ICO is seeking intelligent engagement with the new law, recognising that genuine and reasoned attempts to comply should result in lower penalties. The ICO is also keen to help organisations to move towards compliance. To that extent, 25 May 2018 is the beginning of a journey, not an arrival at a tick-box destination.

Today also marks the beginning of the "consistency mechanism", an element of GDPR that requires data regulators across the EU and EEA to interpret and apply the law in a clear and consistent way. The new mechanism was necessary in view of differing interpretations and decisions under the previous legal regime. In practice, the consistency mechanism means that the precise application of GDPR will evolve. Regulators will have to identify priority areas for attention, perhaps focusing on "gateway" questions such as the interpretation of the GDPR's territorial scope provisions in Article 3 to determine when non-EU organisations are subject to regulation. 

In light of the lateness of the final text of the DPA 2018 and detailed guidance from EU regulators and the ICO in relation to some areas of GDPR, the move from preparation to business as usual will also undoubtedly reveal there is still more for organisations to do. Given these elements of evolution, GDPR compliance cannot be seen as a fixed or static exercise. It will, necessarily, be an ongoing and risk-based process.

There is however already a significant body of guidance, including checklists and templates, issued by regulators, including by the ICO. The ICO's key source of information is their Guide to the GDPR which is also updated on a regular basis and will be a valuable resource going forward to monitor changes and developments.