GDPR Article 99: Entry into force and application

Article 99: The Facts

The article has two clauses concerning the GDPR’s entry into force, and subsequently becoming law.

1.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.It shall apply from 25 May 2018.

This, the final article of the regulation, says when the GDPR starts taking effect: 25-May-2018.

To describe the timeline: the GDPR was published in volume 59 of the Official Journal of the European Union on 04-May-2016.  (The Journal is published daily on the European Union Law website in up to twenty-four languages.  In the same volume were two related directives on the use of personal data by competent authorities with regards to criminal activities.)  Twenty days later the GDPR came into force – that is, came into force as opposed to becoming legally binding, which happened two years later on “GDPR Day” 25-May-2018.

From 25-May-2018, and until it is repealed or replaced, the GDPR will remain in effect.

Graeme’s View

25th May 2018 was widely described as D-Day for GDPR. The preceding weeks saw a flurry of emails asking for people’s consent to continued processing.  These emails ranged from the relaxed to, as one writer put it, those that made her inbox “starting to feel like the ramblings of a desperate ex-boyfriend.”

GDPR Tweet
Many GDPR emails had the air of desperation.

In theory most companies shouldn’t have had to do an awful lot to comply with the new regulations if they were already following the letter of existing data protection law and general good practice.  However, for many the headline-grabbing size of the potential fines for non-compliance prompted a hasty re-examination of procedures and a realisation that for many records adequate consent could not be demonstrated, or simply had never existed.  In many organisations contacts had been collected over decades through various means lost in the mists of time, and data audits had rarely if ever been undertaken.  Impetus to address this was aided by the volume of GDPR-related emails and seeping of GDPR into the public consciousness as the deadline approached, adding to the sense that “we’d better do something”.



Leave a Reply

Your email address will not be published. Required fields are marked *