On 6 April 2016, the EU agreed a major reform of its data protection framework and adopted the General Data Protection Regulation (GDPR). As the new EU-wide data protection instrument, GDPR seeks to guarantee the free flow of personal data between EU Member States and to reinforce the trust and security of consumers, as Digital Single Market (DSM) fundamentals.

GDPR seeks to enable higher levels of data security, empower market participants, boost competition and modernise administration and public services. Its successful application requires co-operation among all involved in data protection.

Since the adoption of GDPR in May 2016, the Commission has actively engaged with stakeholders to ensure that the importance and scale of the changes introduced by the Regulation are properly communicated. It has dedicated EUR 1.7 million to fund data protection authorities and support awareness training, with a further EUR 2 million available to national authorities for direct business support.

Issued ahead of the GDPR implementation deadline, this Guidance:

• recaps the main innovations and opportunities opened up by the new EU data protection legislation;
• takes stock of the preparatory work undertaken so far at EU level;
• outlines what the European Commission, national data protection authorities and national administrations should still do for bringing the preparation to a successful completion; and
• sets out measures which the Commission intends to take in the coming months.

With preparations progressing at variable speed across EU Member States, the Guidance outlines action required by the Commission, national data protection authorities and national administrations towards a successful completion of preparations.

The Commission expects that the new data protection framework will have a wide-ranging impact and observes that significant adjustments will still be required in some respects. Member States are encouraged to speed up the adoption of national legislation in alignment with the GDPR provisions, and notes that national authorities should be suitably funded and staffed in order `to guarantee their independence and efficiency'.

The Guidance calls on all actors concerned to intensify efforts towards ensuring the consistent application and interpretation of the new rules across the EU.

A successful preparation should include the following actions:

• Member States to finalise the set-up of the legal framework at national level.
• Data protections authorities to ensure that the independent European Data Protection Board is fully operational.
• Member States to provide the necessary financial and human resources to national data protection authorities.
• Businesses, public administrations and other organisations processing data to get ready for the application of the new rules.
• All parties to ensure proper awareness of all parties affected by the new rules, particularly citizens and SMEs
  

The Commission will continue to actively support all actors ahead of GDPR entering into force on 25 May 2018. Thereafter, it will monitor Member State compliance and continue with multi-stakeholder group engagement, reviewing stakeholder experience in May 2019 and producing an evaluation report expected to be published by May 2020.

Clients should be aware of the Commission's drive for adequate preparedness for the introduction of uniform data treatment rules that strengthen the protection of individual rights and carry significant enforcement powers. EU data economy advances offer opportunities and benefits for businesses leveraging their competitive advantage and embracing innovation.

KPMG member firms have expertise and experience in helping clients prepare for the new requirements. Click here (PDF 1.14 MB) to find our more.