The EU's new data protection law, the General Data Protection Regulation (GDPR), was adopted back in May 2016, but it won't be enforced until May 2018.

That means EU member states and companies have only four months to prepare for the new data protection regime.

In a rush

The EU justice commissioner, Věra Jourová, told the EUobserver there are only two member states, Austria and Germany, that have implemented national laws according to the new regulation; 13 other member states have only draft laws. The rest is silence.

It's not only member states that are in a rush – so too are big companies, especially those offering trans-border services. They have to be prepared to comply with the GDPR, particularly with regard to the handling of personal data. Fines for breaking the rules of the GDPR can be substantial – potentially as high as €20 million or 4% of the company's worldwide annual turnover if they ignore their legal obligations and commit repeated and serious infringements.

The May 2018 deadline for the new data protection rules is binding, meaning that the regulation will be automatically applicable even in the absence of proper legislation at national level.

What’s new in the GDPR?

Control over data

The aim of the new regulation is to modernise the 20-year-old legal framework for personal data protection, harmonising the rules to guarantee the free flow of personal data within the EU, while at the same time reinforcing individuals’ rights and providing legal certainty. Reconciling data protection rules across Europe is necessary for higher-level data protection.

The new data protection rules ensure that users are in control of their personal data while there are a clear set of obligations for the companies handling personal information. Transparency is one of the safeguards and the leading requirement for data processing.

New EU-level supervisory body

The new regulation also enforces the cooperation between the national data protection authorities. That means companies will have to deal with one authority, not 28, that will ensure legal certainty for businesses. A new cooperation mechanism between authorities also helps to harmonise the enforcement process. The new European Data Protection Board will replace the existing Article 29 Working Party made up of the representatives of the national data protection authorities.

The European Data Protection Board will monitor the correct application of the new rules, give advice and guidance and advise the European Commission. This body will be empowered to issue binding decisions to foster the consistent application of data protection rules throughout the EU.

NGO representation

Another important change is that the new rules authorise NGOs to represent individuals before courts and before data protection authorities. This empowerment opens the possibility for more effective legal remedies and enforcement in case of personal data protection breach.

Related articles

• The European Commission recently launched an online fact sheet to help EU residents and businesses understand what the new data protection rules are about.
• This is a very good piece written for software engineers about designing software to meet the requirements of the new data protection regulation.
• Here is an easy-to-read, easy-to-understand infographic from the European Commission on the new rules.
• Here is a guide for lawmakers to consider when crafting better data protection regulations.