<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

According to the GDPR, it is In Force Already

Topics: Data Protection, GDPR, Article 99

Posted: 04 April 2017

GDPR Already in Force

We have all been conditioned to fear the arrival of May 2018. Hell-fire, brimstone and a newly powerful Information Commissioners Office (ICO) will rain administrative fines from the skies. Yet, for those who have summoned the ability to stay awake long enough to brave the final pages of the regulation, article 99 suggests its implementation date is less clear than originally thought.

There was an Article 99?

The final commandment that is article 99 reads:

  1. - This Regulation shall enter into force on the twentieth day following that of its publication in the Official - Journal of the European Union.
  2. - It shall apply from 25 May 2018.

One number short of an upside-down mark of the beast, the 99th article suggests that the GDPR has been in force since the twentieth day subsequent to its publication, that being the 17th of May 2016. Yet, its application is not honoured until two years after.

The Optimist and the Pessimist

The optimists amongst us would most likely put this down to an overly keen desire to use legal language in order to say something considerably simple, after all the two-year deadline still applies. Could it be that after ten years of debate the final regulation was a little shorter than expected and it needed some padding out? Bureaucracy is by no means thought of as a stranger in the halls of the various European Union chambers.

The pessimist in me takes less comfort from the definition of a regulation, which on the European Union’s own website, is defined as immediately in force in all EU countries, without needing to be transposed into national law. This suggests that as defined in article 99, the GDPR is already in force, just that the supervisory body (the ICO in the UK) cannot act until two years later, when its application begins. In practice, a breach today could potentially be investigated retrospectively and penalties levied after the May 2018 date we are all familiar with.

It’s in the Small Print

Holy scripture like in its writing, ten people who read the GDRP will likely result in ten different interpretations. The irony seems lost on the pen wielding European Union that a regulation aimed at providing clarity to data subjects regarding data collection and processing activities, reads as ambiguously as any other common set of terms and conditions in existence today. "Do as I say and not as I do" springs to mind.

Returning to the original question of whether the GDPR is in force already, it certainly appears that way according to final article. A cruel joke for those who didn’t read through to the end.

Consequentially the GDPR is suspended in a preliminary state where the eyes are watching but the teeth cannot bite. However, muzzled or not, the eyes do not forget and whether you agree with this blog post or not it would be better to “errm” on the side of caution. Especially when there are examples to be made and fines to be collected.

Famously, it is over when the fat lady sings. It is less clear when it begins.

GDPR Data Protection Legitimate Interests and planning your Strategy


Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts