If there’s a group that’s been busy lately it’s the Article 29 Working Party. Do those guys sleep? October saw the group releasing quite a few guidelines on the forthcoming EU General Data Protection Regulation’s provisions, including administrative fines, profiling and breach-notification guidelines. Here’s a roundup of our coverage on the various releases over the last month. 

WP29 releases guidelines on administrative fines under the GDPR
Recently, the EU's Article 29 Working Party posted a document many have awaited with much interest: the final guidelines on the application and setting of administrative fines under the General Data Protection Regulation. Just what does an organization have to do in order to incur that oft-quoted fine of 4 percent of global turnover? Well, the WP29 doesn't go so far as to outline specific scenarios that would trigger the largest-possible fines, but they do lay out assessment criteria with which you can create your own. And, Sam Pfeifle writes, they also let you know, clearly, that failing to listen to your data protection officer is a bad idea. 

WP29 releases guidelines on profiling under the GDPR
The Article 29 Working Party has drafted new guidelines covering profiling and automated decision-making under the forthcoming EU General Data Protection Regulation. The proposed guidelines acknowledge two general benefits of these technologies: first, increased efficiencies and, second, resource savings. And they note the potential to “better segment markets and tailor services and products to align with individual needs.” However, the WP29 warns that profiling and automated decision-making technologies can pose “significant risks to individuals’ rights and freedoms” and can “perpetuate existing stereotypes and social segregation” absent appropriate safeguards. Lee Matheson recaps the draft so you can get your feedback in before Nov. 28.
Full Story

WP29 releases draft breach notification guidelines
In October, the Article 29 Data Protection Working Party released its proposed guidelines on data breach notifications, which are open to public comment until Nov. 28. The guidelines provide detailed explanations about the data breach notification mechanism and offer some clarifications on certain key concepts, including notification obligations (both to supervisory authorities and to data subjects) and risk assessment. Muge Fazlioglu recaps the guidelines so you have time to get your thoughts to the WP29.

What’s new in the WP29 guidelines on DPIAs?
The Article 29 Working Party published in October its “last revised” guidelines on data protection impact assessments and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR. The DPIA is a “process” that, according to GDPR Article 35, at a minimum, systematically describes an organization’s processing operations and their purposes and assesses their necessity and proportionality, the risks they present to the rights and freedoms of data subjects, and the measures, safeguards, and mechanisms intended to address risks, so as “to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.” Muge Fazlioglu has the details of WP29's final thoughts on the matter.