The GDPR has been published!

May 04, 2016

Following the flurry of activity around the EU General Data Protection Regulation (GDPR) in April, the final text was published in the Official Journal of the EU today. The GDPR will enter into force 20 days from its publication in the Official Journal, meaning the clock for compliance with the GDPR really starts ticking on 24 May 2016. There will then be a two year grace period before the GDPR becomes fully applicable. The final text published in the Official Journal can be found here.

What happened in April?

April was a crucial month for the GDPR. The Council of the European Union released its revised text of the GDPR on Wednesday 6 April, and formally adopted this version of the text on Friday 8 April. For the final text to come into force, both the European Parliament and the Council of the European Union needed to adopt it. Following adoption by the Council of the European Union, on Tuesday, 12 April the Civil Liberties, Justice and Home Affairs Committee voted to approve the text to the European Parliament for its second reading. On Thursday 14 April, the European Parliament passed their vote to adopt the GDPR during their plenary session.

What changed in the final text of the GDPR?

The final version of the GDPR followed a legal and linguistic review of the version released in December 2015. A comparison of the two texts can be found here.

The changes made were linguistic, stylistic and clarification tweaks, rather than more substantial changes. Examples of some of the changes made are listed below.

Linguistic changes - there have been a number of changes made to tighten the language of the text. For example, there has been a global change of the term ‘individuals’ to ‘natural persons’, similarly the term ‘data’ has been updated to ‘personal data’ and ‘law of a Member State’ is now ‘Member State law’. In the majority of cases ‘must’ has been amended to ‘shall’.

Stylistic changes - the numbering of the recitals and of the provisions has been amended to streamline them, making some instances of sub-paragraph and sub-article numbering now numbered recitals or articles in their own right.

Clarifying changes - additional text has been added to certain recitals to align them more closely to their corresponding provisions in the GDPR.

For example, the December draft Recital 20 (now Recital 23), which deals with the territorial reach of the GDPR, did not consistently refer to the activities of both controllers and processors being captured as envisioned in Article 3, its corresponding provision in GDPR. Additional text included this Recital 23 makes it more in line with the provision contained in Article 3.

Further, in relation to record-keeping, Recital 11 (now Recital 13) referred to there being 'a number of derogations' to take into account depending on an organisation's size. The most recent text amends this language to call out the specific derogation identified in the corresponding provision in the GDPR (Article 30, previously Article 28), namely that a specific derogation applies to the requirement to maintain records for organisations with fewer than 250 employees.

Further information

For a summary of the key changes that the GDPR will bring to current UK data protection law, please see our blog post here.

At PwC we have a number of ways to help your organisation prepare for the GDPR:

  • GDPR Readiness Assessment Tool - this tool tests your current state of readiness for the new law and your risk profile;
  • GDPR Bootcamps - we hold monthly training sessions you can join in person or via webinar where we review the requirements of at the new law. Please let me know if you wish to attend one of our bootcamps; and
  • PwC Guides - we have published a series of guides on the GDPR to help you understand what the legal requirements are and how you can comply.

If you would like further information any of the above, please contact any member of the PwC data protection team for more information.

 

To find out more about how we can help address key data protection, privacy and optimisation challenges facing your organisation, please get in touch with one of our subject leaders.