Tuesday night, the European Parliament and Council announced that, after years of negotiating, they've reached an agreement on a consolidated text of a brand-new General Data Protection Regulation. The Luxembourg Presidency of the Council of the European Union called it a "historic agreement," while Green MEP and rapporteur Jan Philipp Albrecht called it a "major step forward for consumer protection and competition," ensuring "Europe has data protection rules that are fit for purpose in the Digital Age."

Some of the 200-page document's major provisions, as reported by the IAPP's Sam Pfeifle yesterday, include that the law applies to any controller or processor of EU citizen data—regardless of controller or processor location—breach notifications for breaches involving "significant risk" for data subjects must be made within 72 hours of discovery; data protection authorities are granted more powers, including the ability to fine up to four percent of an organization's annual revenue; many organizations will now be required to appoint a data protection officer, and data processing may only occur with explicit consent unless certain conditions exist. 

While Parliament's LIBE Committee prepares to vote on the text Thursday, privacy pros globally are surely paying attention. For those who've been closely watching the various iterations of the text in the three years since draft one entered the scene, there may be few surprises—though the change in age for children's consent to 16 was a doozy, wasn't it? Regardless of whether you've been glued to the news or this is the first you're hearing of the regulation, veterans in the field agree the time to daydream is over. The text is here, and the time to move is now, industry veterans agree. 

[quote]"With the threat of fines up to four percent of global turnover looking large, no one wants to be caught out." -Phil Lee[/quote]

Field Fisher's Phil Lee, CIPP/E, said while Parliament and the Council still have to formally adopt the text and implementation will come two years after that, what must happen now for some companies is no small feat. 

"The significant nature of the changes, from revising internal policies, procedures and notices, to appointing DPOs, to instituting data breach management notices, to revising contracts, really means that companies need to being planning now," he said. "With the threat of fines up to four percent of global turnover looking large, no one wants to be caught out." 

Lee said the changes will be most difficult for companies that have been outside the scope of the existing Directive. First, businesses should figure out if they're subject to the law to begin with, and then get to work remediating. 

Privacy strategist Bob Siegel, CIPP/US, CIPP/C, CIPP/E, CIPM, CIPT, president of Privacy Ref, says that's exactly what he'll tell his clients: Get moving. 

"Start looking at what the impact to business is going to be," he said. "I think people now are going to have to realize it's a reality and address those requirements," he said. 

What's step one? 

"The first thing I would do is to put together a cross-functional team; the privacy office, inside or outside counsel, IT and compliance [if it sits outside of those groups] to create an understanding of what the plan will be over the next 18 months to two years to begin implementing those changes," Siegel said. 

Director of TRUSTe's consulting group, Eleanor Treharne-Jones, CIPP/E, agreed that a good place to start is to meet with the privacy management committee, if there is one, to establish the kind of initial work that should be done and who should be briefed first. 

Treharne-Jones said TRUSTe's research found 40 percent of companies would allocate budget toward the GDPR once the change had passed but before it went into effect. So for many, it may be a case of acquiring budget before progress toward compliance. 

But it's not necessary to wait for the funds to roll in before taking steps toward compliance, Trehaarne-Jones said, including briefing the board and senior management. For some, it's been a question of how to package the GDPR as a priority in C-suite agendas. 

"With the GDPR, it's going to be a case of any privacy officer that has been keeping their company posted along the way is probably about to become a lot more respected and listened to," Royal said.

"For many people, data protection is still not high on the C-suite agenda, but there's potential this [regulatory change] will push it there," she said.

K Royal, CIPP/E, vice president and privacy counsel at CellTrust, said companies who may have previously thought their privacy officer a bit of a Chicken Little, worried the sky might be falling without reason to believe so, are now realizing the sky is in fact falling. While Safe Harbor's recent invalidation may have woken some companies up that slept through warnings about regulatory changes to come, the GDPR ruling got them out of bed entirely. 

"With the GDPR, it's going to be a case of any privacy officer that has been keeping their company posted along the way is probably about to become a lot more respected and listened to," Royal said. 

But Treharne-Jones said having the respect and attention of the C-suite means your messaging has to be on point, and privacy pros "need to be careful how they go about" their messaging for implementing changes. That means having understanding of what's in the final draft before you go barging into the CEO's office as well as appointing a project owner if there isn't one already.  

"That's one of the key things needed before you even start the budget process," she said. 

Royal agreed, saying pros must read the new text. All of it. Know the rules. 

David Smith, formerly deputy commissioner of the UK's Information Commissioner and now counsel at Allen & Overy, said the political agreement means a major milestone has been passed and the end is in sight. 

"Now that the shape of the regulation is clear, it's time for CPOs to start preparing. This includes putting in place their arrangements for compulsory breach notification both to data protection authorities and to affected individuals, carrying out privacy impact assessments and being able to account for the effectiveness of their data protection compliance programs," Smith said. 

Beyond that, Royal said there will be three key actions that will be critical to companies now, especially U.S. companies. First, she said, you must map your data. 

"Where's it coming from? Why are you collecting it?" Royal said of questions pros must ask themselves. Next, it's time to stop collecting data you don't have a legitimate purpose to collect and stop using it for something other than what it was collected for. 

"I think that's going to have the biggest impact on U.S. companies, controlling the data," she said. "In the U.S., we just love data. Even if we don't know what we're going to do with it now, we just love it. It's like gold panning in the rivers, when you just pick out what you have and take the gold nuggets. Well, we just gotta start throwing the rest of it in the river." 

Lastly, companies are going to need to prep by taking a look at relationships with third-party vendors and ensuring none of those relationships mean you risk non-compliance with the rules.

Royal said she expects companies with BCRs to already be in decent standing, though they'll need to go beyond the provisions of most BCRs to comply with the GDPR. But they likely won't have as far to go as companies that haven't had to reach compliance agreements with European supervisory authorities. 

Siegel added that moving toward compliance with the final regulation is complicated further by the fact that the next version of Safe Harbor, the Transatlantic Data Protection Framework, is still being negotiated. 

"So while having this laid down is good," he said, "there's still a question of how to legally export data from Europe, and people are going to have to keep an eye on Safe Harbor while they're doing this as well. They may find themselves having to pay attention to some things more than others, more than they may have had to do so six months ago." 

In any case, all agreed the time to act is the present. After all, Smith said, "The next two years will pass very quickly!" 

Photo credit: IMG_3818 via photopin (license)