The General Data Protection Regulation (the "GDPR") will enter into force on the 25th of May of this year, effectively replacing the Data Protection Directive (the "DPD"), which has been in force since 1995. In the past 23 years, the occurrence of significant technological advances, particularly in the online sphere, coupled with increased commercial exploitation of personal data, have necessitated updated and modernised data protection rules.
In this regard, the GDPR will radically overhaul and clarify data protection rules, effectively enhancing data subject rights and imposing increasingly-strenuous obligations upon businesses across the EU and even beyond its borders.
With just over 100 days to go until its date of application, and in its efforts to pave the way for a smooth transition into the GDPR framework, the European Commission has launched a website containing extensive GDPR-related resources, information and guidelines for businesses and citizens alike. The website, which can be accessed at europa.eu/dataprotection is part of the Union's wider efforts to get citizens and businesses familiarised with the new data protection rules and the general framework within which businesses will operate.
The general preparedness for the transition largely varies according to Member State. Most pre-A10 accession Member States now have over twenty years of experience in data protection regulation, making them markedly more prepared for the shift. Germany, for instance, has since 2001 , required certain businesses to appoint a data protection officer to deal with data protection related issues, which is elsewhere a novel concept, and is one of the new features introduced by the GDPR as a mandatory obligation incumbent upon certain businesses.
The preparedness also varies greatly according to business size, between larger businesses and SMEs. The former enjoy the increased manpower and resources to help them ease the transition. Regulated industries in particular, already have extensive experience in regulatory compliance, making the task of GDPR-compliance an easier one for them to undertake.
For these purposes, the European Commission has earmarked a reputed 1.7 million Euro in order to fund and train data protection authorities and professionals, with a further 2 million Euro intended for Member State-level information campaigns, aimed particularly at small businesses.
The intention is to have a homogenous EU-wide data protection framework, converging Member States' data protection rules and leaving very little leeway for discrepancies, limited to certain specific areas such as employment law.
In reality however, it remains to be seen how the various supervisory authorities within different Member States, will cope with the transition and consolidate each others' efforts. The Commission has noted that various authorities suffer from an acute shortage of funding and resources which could affect their ability to properly cope with the increased responsibilities which have been imposed upon them by the GDPR. The Commission has warned of possible "infringement procedures" for any Member States who do not step up and take the implementation of the GDPR seriously, signalling its commitment towards the proper implementation of the GDPR across the continent.