Greetings from Brussels!

It’s Friday, it’s 25 May, and it’s GDPR Day! The clock has wound down, time is out, and we find ourselves in a new European privacy reality. I need to pinch myself; it really is here. 

How time flies. Rewind to January 2012, and it was then that the European Commission set out its proposals to reform data protection throughout Europe and published a first draft of the revised Data Protection Regulation what was to become the General Data Protection Regulation. Once sent to the European Parliament, it was subject to more than 4,000 amendments. That is a phenomenal number. Although, I would argue that if you consider the hive of lobby activity in the member states, as well, the number of engagements of influence and positions is far higher overall.

I still recall a few years back when the Brussels EU quarter was swarming with an unusually high number of corporate counsel types and lawyers in search of a lunchtime gem. Brushing shoulders with a diverse set of nationalities here is not uncommon, but a good many of the accents I was hearing were from across the pond. It was then when I truly realized how groundbreaking this piece of legislation could end up being, not only for Europe, but also beyond.

So here we are at a new beginning, and if you have been following the heightened frenzy of media activity this week, well, you will know a few things more about this legislation. Perhaps unsurprisingly, several member states don’t have their domestic GDPR implementing acts in place and adopted as the law of the land. A few will have jumped the final process hurdles to sprint across the finish line in the last days, including the Dutch and the Irish. No matter, unlike the predecessor Directive that required transposition into national law to apply, the Regulation — the GDPR — will for all practical purposes become the applicable data protection law of the EU, superseding all current equivalent laws. 

Legislators, regulators and companies have had two years to get ready. However, and with hindsight, arguably two years might not have been enough for such a highly politicized and seismic piece of legislation to pass plain sailing. The position of the European Commission is clear: It was time enough, and there is disappointment with those member states that have not done the necessary work in time. The EC doesn’t like legal uncertainty. Justice Commissioner Věra Jourová has also said further action against the worse offending member states would be considered if need be.

The European regulators have been articulate, with Andrea Jelinek, the Austrian data protection authority, and president of the newly formed European Data Protection Board saying that there will be no grace period — the GDPR is applicable and enforceable as of now. Other DPAs have also conveyed similar messages while acknowledging that transparent accountability and robust project planning to comply with the GDPR is key, even where full compliance has yet to be achieved. I suspect the European regulators will apply fair judgment and enforcement in the initial bedding-in phase, but make no mistake: Where blatant infringements or irregularities are identified, administrative fines will be applied in accordance with the regulation. Deputy Commissioner Dale Sunderland, of the Irish DPA, wrote a blog this week on how the Irish Data Protection Commission will seek to enforce the GDPR. It provides real insight and can be read here. 

For all the privacy pros out there: We’re here, the time is now, and this is your time. There has never been a better catalyst for visibility and acknowledgment of the privacy work you have undertaken thus far; privacy culture has truly arrived. It’s here to stay, and there is still plenty to do. For the companies out there that are not GDPR ready, don’t panic. Compliance is a work in progress. There’s no time like the present. It’s not too late. Nor, however, is there time to be lost.