GDPR will continue to be top of mind for many IT lawyers until 25 May 2018 when it enters into force and likely for a while thereafter. In the words of the Economist newspaper the GDPR ‘is “the most complex piece of legislation the EU has ever produced”’ and “will be one of the most important pieces of legislation brought into force in 2018”. As the Information Commissioner has said, ‘we’re all going to have to change how we think about data protection’ and, as everyone is finding out, you can’t just paper your way to GDPR readiness.
In addition to the rising bow wave of work in the first half of 2018, data related legal work is likely to settle back at a significantly higher level than before. GDPR regulatory enforcement will gain traction after the summer holidays and we’re likely to see over the remainder of 2018 an outbreak of litigation and the continuing weaponization of data protection claims in the employment, B2B and international contexts.
A potential curve ball to watch out for is the new ePrivacy Regulation – the source of the rules on cookies and the requirements for cookie policies. The EU published a draft regulation in January 2017 and it is still under discussion, but it looks like extending the current (2009) ePrivacy Directive significantly. Although the EU said in early 2017 that they want the new regulation to start at the same time as the GDPR, this is looking increasingly less likely, and it may be 2019 before it comes into effect.