It is finally here. This is the year of the GDPR. A journey that started with an ambitious policy paper about modernising data protection almost a decade ago – a decade! – is about to reach flying altitude. No more ‘in May next year this, in May next year that’. Our time has come. Given the amount of attention that the GDPR has received in recent times, data protection professionals are in high demand but we are ready. We knew this was coming and we have had years to prepare. However, even the most seasoned practitioners are at risk of being engulfed by the frantic fire-fighting mood out there. The hamster wheel of GDPR compliance is spinning faster and faster, but it is precisely now when we must look up, see the bigger picture and focus on getting the important things right.
The German Ministry of Interior affairs has published an English translation of the new Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). On 27 April 2017 the German Parliament passed the BDSG in order to make use of the opening clause provided for in the EU General Data Protection Regulation (GDPR). This bill has been controversial; see here for an interview with Jan Albrecht, Stefan Brink and Tim Wybitul.
The new BDSG replaces its national predecessor, which has been in force for the last 40 years. The new BDSG is the first step toward adapting national German member State law to the provisions of the GDPR. With an effective date of 25 May 2018, the new BDSG will also form the basis for the adaption of further German data privacy acts to the GDPR. We note that several ministries have already indicated that they are preparing specific data privacy provisions concerning special processing situations like social security data protection, and we expect these provisions to follow the implementation of the BDSG.
This overview summarizes the major implications of the BDSG for companies operating in Germany.
The Article 29 Working Party held its April plenary meeting last week, where it continued its work preparing for the GDPR, adopted an opinion on the draft e-Privacy Regulation, and discussed the annual review of Privacy Shield.
On January 5, 2017 Paris Law School Panthéon-Assas launched its first university degree aimed at training future Data Protection Officers under the new European General Data Protection Regulation, which becomes effective across the EU on May 25th, 2018. Created by Paris University Professor Bénédicte Fauvarque-Cosson and Hogan Lovells partner Winston Maxwell, the new program will include courses in law, cybersecurity, data analytics, management and ethics. The faculty will include professors from various law schools, as well as practicing DPOs, information security specialists, lawyers and regulators from the CNIL, and major companies including Sanofi, GE, Axa, Lagardère, Google, Microsoft, Schneider Electric, BNP Paribas and the Banque Postale.