GDPR: 25 May is not the end. It is the beginning

The General Data Protection Regulation (GDPR), which replaced the EU Data Protection Directive, came into force on 25 May 2018. And yet, the sun still came up in the same way as it happened in the beginning of the 21-th century.

Although many businesses have been working on their GDPR compliance programmes for some time and will feel confident that they are well prepared, some are still working on theirs – and many are yet to begin. For anyone who has missed the deadline for compliance, the Bulgarian Data Protection Commission has published on its website 10 steps guidance on the GDPR to help organisations comply with its requirements. Mr Ventsislav Karadjov, head of the Bulgarian Data Protection Commission and also elected as a vice-chairman of the new European Data Protection Supervisor (EDPS), on 6 April 2018 during an interview with a Bulgarian magazine Capital highlighted that GDPR compliance commences with analysis of business processes.

With the legislation now in force, all eyes in Bulgaria now turn towards the regulator to see how the GDPR will be enforced. We have already heard from the Bulgarian Data Protection Commission that they will start with warnings and not with high fines. However, substantial penalties (for serious breaches, up to 4% of global turnover or EUR20 million, whichever is higher) could be expected by those that persistently, deliberately or negligently flout the law.

Stoeva Tchompalov & Znepolski’s group of dedicated data protection lawyers represents clients from across industries and of all sizes, each facing a unique set of data protection concerns. Please contact us if you need help with your GDPR compliance activities.

Because, as Elizabeth Denham, the UK’s Information Commissioner has noted “… 25 May is not the end. It is the beginning”.