Regulatory reform readiness – are you prepared for legal change?
January 15, 2015
Businesses and citizens in the EU have been living with deep uncertainty about the future of data protection law for three years now. In January 2012 the European Commission published its proposal for a new General Data Protection Regulation, to replace the current Data Protection Directive, and the journey through the EU political institutions since then has sometimes seemed unnecessarily prolonged and arduous. Many times the analysis of the effect of the proposed reforms has turned into a 'will they won't they' debate, as commentators speculate on the chances of the EU actually delivering a completed piece of new legislation.
The 'will they won't they' debate is necessary and important. Businesses and citizens have a right to expect certainty within the law, so that they can make proper plans and judgments about where they place their investments and with whom they entrust their personal data.
Yet the debate can also disguise some critical facts.
The first fact is that the three year process so far is not unusual or unnecessarily long. It is entirely consistent with the EU's usual method and approach to law making. People with long enough memories will remember that it took even longer for the EC (the EU's predecessor) to complete the legislative journey of the Data Protection Directive.
The second fact is that there is a massive political consensus within the EU about the need for law reform. The draft Regulation has the support of the Commission, the Parliament and many Member States. More is agreed than disagreed.
The third fact is that the current law is being interpreted by national regulators and the Court of Justice of the EU in a way that is highly consistent with the ambitions of the draft Regulation. The point to remember is that proposals for law reform are driven by a wish for change in the community of people behind the proposals. In this case it is the data protection regulators who are behind the proposals, so it shouldn't be surprising if they act 'as if' reform has already occurred.
In other words, the momentum is still with the draft Regulation. It is more likely than not that the Regulation will complete its political journey and deliver new law.
The real challenge for businesses is how to use the time that is currently available to them to make the best possible adjustments to their systems and operations for data protection so that they are optimised to meet the challenges of the new law when it comes into effect. Sensible businesses will be planning now. Neglecting the planning and adjustments simply on the basis that the pathway of the law is 'uncertain' is a not an intelligent choice.
Now is the time for businesses to move towards states of 'Regulatory Reform Readiness'. The impact of the likely legal changes for their businesses ought to be considered and the gaps between their current and desired levels of legal compliance ought to be measured. From there, strategies for adjustments and business transformations can be developed, which deliver changes in measured, proportionate and effective ways.