The European General Data Protection Regulation (GDPR) was proposed on January 25, 2012 because the current EU Data Protection Directive does not sufficiently consider the important aspects of data protection in our rapidly changing environment which includes globalization, social networks, and cloud computing. As such, the European Commission determined that new guidelines for data protection and privacy were required and proposed GDPR as a comprehensive reform to the Data Protection Act of 1998.
The single data protection regulation which is scheduled to be adopted by the end of 2015 and take effect after a transition of two years, will have immediate effect on the 28 EU countries after the two year transition period without requiring any additional legislation by EU state governments. The GDPR will expand the Data Protection Directive to all companies vs just government agencies and will apply to all EU countries because of its regulatory aspect. Employee data might be excluded from GDPR and be subject to individual country regulations.
There will also be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based. A European Data Protection Board will coordinate the DPAs.
The key elements of the GDPR include the creation of a single set of rules, increased enforcement powers including an increase in potential fines, a duty on organizations to report breaches within 24 hours, and provisions giving people easier access to and more control over their personal data including a "right to be forgotten" and introduction of "data portability".
Despite general agreement in these key areas, there are still a number of major differences of opinion which will need to be reconciled through negotiations between the Commission, the European Parliament and the Council.
Whether GDPR will be adopted by the end of 2015 is uncertain, however, progress is being made and we could witness the introduction of the GDPR in as early as 2016. For businesses, it is important to implement a data protection plan immediately which not only addresses the personal information of customers, but also all important business data which require protection to ensure business viability.