The European Union agreed to a major reform of its data protection framework in April 2016 by adopting the data protection reform package. On 25 May 2018, the new EU-wide data protection instrument, the General Data Protection Regulation, will become directly applicable, two years after its adoption and entry into force.
The new data protection framework has been built on existing legislation. It will however have a wide ranging impact and will require significant adjustments in certain aspects. Over the past two years, all stakeholders, from national administrations and national data protection authorities to data controllers and processors, have engaged in a number of activities to ensure that the importance and the scale of the changes brought about by the new data protection are well understood and that all actors are ready for its application.
Who does the GDPR affect?
The Regulation impacts most on operators whose core business is data processing and/or dealing with sensitive data. By contrast, operators, in particular SMEs, which do not engage in high risk processing as their core activity will normally not be subject to specific obligations of the Regulation. It is however a sensible step for businesses to validate the GDPR impact on their individual business models, data policy cycles, contracts in place, compliance checklists... According to the European Commission, while big companies are actively preparing for the application of the new rules, many SMEs are still not yet fully aware of the forthcoming data protection rules.
In addition to many national resources, the EU institutions have generated several documents that are available for communication purposes :
- 2018 reform of EU data protection rules
- Factsheet ‘EU Data Protection Reform’
- Rules for business and organisations
- Summary of: Regulation (EU) 2016/679 — protection of natural persons with regard to the processing of personal data and the free movement of such data
- Stronger protection, new opportunities - Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018
A dedicated effort was put forward to reach SMEs. Many law firms/consultancies have multiplied the awareness/training offering across the EU. National administrations and national data protection authorities have also engaged in dedicated campaigns.
Within CEMA, many member associations (http://cema-agri.org/members) have taken initiatives to outreach to the industry membership on this upcoming change and propose solutions/tools. In almost every case, information is also available in the local language from national business associations (CBI, MEDEF, BDI, Confindustria, CEOE, IV, FEB, DI, VNO, TUSIAD https://www.businesseurope.eu/members).
CEMA further urges its membership to take all appropriate preparatory steps ahead of 25 May 2018.