Published: April 2018

This IAPP white paper is divided broadly into two sections: The first explores the legislative actions that the GDPR requires member states to take, while the second examines the optional powers and authority available to them to carve out exceptions for or to clarify the GDPR’s rules.

This distinction is derived from the division between what the member states “shall” and “may” do within the articles of the GDPR. These cover such areas as the processing of sensitive data; data processing in the context of employment; conducting DPIAs; appropriate safeguards for data protection for archiving purposes in the public interest, scientific or historical research, or statistical purposes; access rights; automated decision-making and profiling; and data protection officers.