OneTrust_IAPP_DigitalAds_leaderboard_20180620_

 

EU General Data Protection Regulation

EU General Data Protection Regulation

The GDPR is here.

In December 2016, the EU Parliament and Council finally agreed upon the EU General Data Protection Regulation, first proposed in 2012, and as of May 25, 2018, it is in effect.

The GDPR offers a new framework for data protection with increased obligations for organizations, and its reach is far and wide. 

OneTrust_IAPP_DigitalAds_square_20180620_

Hands-On Guide to GDPR Compliance

IAPP_Hands-On-GDPR

“There are six words in the General Data Protection Regulation (GDPR) which has triggered a paradigm shift in how privacy compliance is dealt with by EU organisations. The GDPR mandates that an organisation must practice ‘data protection by design, by default’. What this means is that every organisation must weave privacy-thinking into its DNA. Hence, the paradigm shift has expanded privacy compliance out of the legal office into business operations. This book, although containing some ‘legal-speak’, it is rationed. The book is targeted at non-legal professionals who need to work out how to make this work in practice.”
Purchase Now

The Law and Official Guidance

The GDPR is applicable to any organization — no matter where it resides — that intentionally offers goods or services to the European Union, or that monitors the behavior of individuals within the EU.

Provisions affecting access, consent, data portability and mandatory breach notification will require changes to many organizations’ data handling practices. A provision requiring the appointment of a data protection officer for certain organizations has many scratching their heads.

The Article 29 Working Party, which has now been replaced by the European Data Protection Board offered guidance on many of the more ambiguous provisions of the GDPR, and now the EDPB has taken up the job.

The data protection package agreed upon by the European Commission and Parliament also includes the Data Protection Directive, often referred to as the “Police Directive” that applies to law enforcement agencies in the EU, and complements the GDPR. 

Article 29 Working Party and European Data Protection Board Guidance

The Article 29 Working Party, a group including representatives from data protection authorities of all EU member states, published guidance to clarify certain provisions of the GDPR. With the enactment of the GDPR came a new advisory body, the European Data Protection Board, or EDPB, which has now replaced the WP29 in creating data protection guidance. Find all guidance from both bodies here.

All of the European Data Protection Board and Article 29 Working Party guidelines, opinions, and documents

Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/67925 May 2018, pdf 750KB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/67925 May 2018, pdf 718 KB From the Article 29 Data Protection Working Party The WP29 was an advisory body made up of representatives from the data protection authorities of each EU member state, the EU Commission and the European Data Protection Supervisor. Upon ena... Read More

General Analysis and Guidance

GDPR Comprehensive 2016 – New York City

(Video recording available for purchase)
The biggest European data protection reform in 20 years is upon us. Make sure your organization is ready for this seismic shift by attending the GDPR Comprehensive—an intensive two-day training offering a practical, hands-on view of the fundamentals of the new regulation.

GDPR Awareness Guide

The IAPP offers this high-level look at what the GDPR requires of organizations collecting or processing the data of individuals in the European Union, what rights it grants to individuals, and what consequences exist for not complying with the regulation when it comes into force in May 2018.Read Now (PDF 671K)... Read More

GDPR Enforcement Priorities

European Supervisory Authorities have shed light on their initial enforcement priorities. Take a look at this IAPP infographic to learn more about where to focus your efforts to be on the right side of regulators. Click image to download pdf (1.63MB) ... Read More

The GDPR in 20 Minutes

Looking for a slimmed down version of the EU's General Data Protection Regulation? The GDPR in 20 Minutes might just be your thing. List-formatted, in outline, this is a way of looking at the GDPR text in truncated fashion highlighting meaning, while providing links to relevant text you can expand to find a fuller picture. The text has also been reorganized to group information that topic. Interested? Click here to check it out.... Read More

IAPP GDPR Readiness Assessment

Powered by TRUSTe.

The IAPP and TRUSTe have partnered to provide a comprehensive online tool to help companies assess their readiness to meet the requirements of the GDPR. The assessment is available via a special single-user version of TRUSTe Assessment Manager created for IAPP members and consists of more than 60 questions mapped to key requirements of the GDPR. After you answer the questions, you will receive a report summarizing responses along with recommended remediation steps for any items that are not consistent with the regulation.

Read More

GDPR guidance documents

This page is a straightforward list of links to GDPR guidance documents, organized by topic, from the Article 29 Working Party, various data protection authorities, law firms, consultancies and more. Read More

Top 10 operational impacts of the GDPR

The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December 2016, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controller... Read More

Top 10 operational responses to the GDPR

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Find the e-book comprising the following posts here. Part 1: Data inventory and mappingBy ... Read More

Will the GDPR impact you? 4 hypothetical scenarios to help you understand

When the EU General Data Protection Regulation comes into force next May, companies will have had two years to prepare and map out implementation. While some may be well ahead of the game, many others are still left wondering whether regulations will even apply to them. Recent surveys show these companies are not alone. A recent survey by the Institute of Directors’ indicates that four out of ten of respondents did not know if the GDPR will impact their company. Does the GDPR even apply to you... Read More

GDPR Assessment

This assessment from Microsoft is a quick online self-evaluation tool to help establish an organization’s readiness for the EU General Data Protection Regulation. Take Assessment... Read More

The General Data Protection Regulation Matchup Series

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts.  GDPR Matchup: The APEC Privacy Framework and Cross-Border Privacy Rules In this installment, Alex Wall, CIPP/E, CIPP/US, compares the principles of the APEC Privacy Framework with the principles expr... Read More

Top 10 Operational Impacts of the GDPR - Web conference

The General Data Protection Regulation, set to come into force in May of 2018, is a massive, 200-page document that not only creates many new obligations, but also extends the jurisdiction of the European Union to anyone collecting the data of European citizens. Understanding how to comply can be daunting. That's why the IAPP has pulled out the top 10 largest operational impacts so that you can begin tackling the most important issues right now. Hear from an expert panel, featuring current and f... Read More

Bird & Bird Guide to the General Data Protection Regulation

This guide from Bird & Bird summarizes the key changes the GDPR will bring and highlights the most important actions organizations should take in preparing to comply with it. The summary is divided into chapters sub-divided into themes. Each sub-chapter starts with a speed-read summary, a list of suggested priority action points, assessment of the degree of change, and a signpost to guide you to relevant source material within the regulation. Read Now (PDF 1.57M)... Read More

WP29 releases guidance on DPOs, data portability, one-stop shop

In something of a massive data dump, the EU’s Article 29 Working Party emerged from its December plenary meeting with a number of GDPR application guidance documents, including explanations for the mandatory DPO role, the mechanisms for data portability, how a “lead authority” to lead the one-stop shop enforcement mechanism will be established, and some notes on enforcement and the EU-U.S. Privacy Shield. The WP29 welcomes comments on the guidance from stakeholders through January 2017, so there... Read More

Key aspects of Europe’s General Data Protection Regulation

This document from Reuters outlines the key aspects of Europe's General Data Protection Regulation (GDPR). Displayed are the steps which companies must go through to provide Europeans with a copy of their personally-identifiable data, explicitly inform users how the companies will be using their data, along with listing penalties, notifications and appointments that companies will now be required to adhere to.View Webpage... Read More

Guide to the General Data Protection Regulation

The Guide to the GDPR, published by the U.K. Information Commissioner's Office, explains the provisions of the GDPR to help organizations comply with its requirements, along with a 12-step checklist that can be used to prepare for the GDPR.View PDF (1.75 MB)... Read More

EU GDPR Compliance Criteria Chart

This document, published by Secure Controls Framework, essentially provides a "paint by numbers" approach to compliance with the GDPR. It aims to help organizations demonstrate alignment with a cybersecurity framework to ensure appropriate technical, administrative and physical controls in place and a privacy framework to ensure appropriate privacy controls are in place.View PDF (857 KB)... Read More

Fostering the practical interpretation of GDPR with Codes of Conduct

Europe’s new privacy rules avoided phrasing the regulation too detailed where appropriate and kept the law abstract and based on principles, in part considering the speed and disruptiveness of technical innovation. However, the GDPR did not leave those areas free from oversight. The regulation emphasizes business responsibilities and grants advantages for those who voluntarily self-regulate by making themselves subject to a co-regulated code of conduct. CoCs invite all businesses, especially mic... Read More

Implementing GDPR: Lessons learned

Ernst & Young published this document which uses data sets and graphics to display how different organizations are implementing and complying with the GDPR.View PDF (914 KB)... Read More

IAPP Europe Data Protection Digest

Be in-the-know on EU privacy news (think the GDPR, Privacy Shield, and the PNR Directive, to name a few) subscribe to the IAPP Europe Data Protection Digest.

GDPR compliance: Combine and conquer

The EU General Data Protection Regulation is getting closer every day. For many privacy offices, this equates to an overwhelming workload and anxiety about where to begin and a view of the GDPR as nothing more than a list of projects to complete and items to check off in an effort to be compliant. However, the GDPR is actually quite flexible, and compliance with its requirements is intended to be an ongoing exercise, rather than as a means to an end. It is a risk-based approach to privacy and d... Read More

Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law

The EU Data Protection Regulation affects all organizations in the EU, and some organizations outside the EU. Many organizations that had few or no compliance responsibilities under the Directive have new or increased obligations under the GDPR. This handbook from White & Case is designed to enable privacy professionals and legal functions within an organization to quickly identify the issues that are of primary importance to that organization, and determine how best to address those issues.... Read More

European Commission’s GDPR Infographic

This infographic published by the European Commission offers an overview of the General Data Protection Regulation, including what information constitutes personal data, the reason for the change, companies’ obligations and the cost of non-compliance. View Infographic... Read More

The Mandatory DPO

Under Article 37 of the GDPR, data protection officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data” (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like, defined in Article 9).

DPO Handbook: Data Protection Officers Under the GDPR

IAPP_DPO_Handbook

DPO Handbook: Data Protection Officers Under the GDPR provides a comprehensive view of all aspects of the role of Data Protection Officers under the EU’s new General Data Protection Regulation, starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset. The book then describes in detail the various tasks a DPO performs starting from their first day and month on the job and concludes with examples of DPOs performing their role in different types of organizations. 
Purchase Now

The legal risks for the DPO

While the role of data protection officer has come into the spotlight given the impending General Data Protection Regulation in the EU, with that prominence may come personal liability. As the titular head of the data protection and privacy program, the DPO may be interpreted as the final decision maker surrounding the use of personal data, and in some jurisdictions that role can come with personal civil and criminal liability. In this white paper overview, IAPP Legal Extern Carissa Hanratty, CI... Read More

WP29 guidelines on the Data Protection Officer requirement in the GDPR

The aim of these guidelines from the Article 29 Working Party is to clarify the relevant provisions in the GDPR in order to help organizations comply with the the GDPR's requirement for certain controllers and processors to designate a DPO, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU member states. The WP29 will monitor the implementation of these guidelines and may complement them with further det... Read More

DPO Decision Tree

Should you organization hire a data protection officer under the EU General Data Protection Regulation? DPO Network Europe offers this decision tree to help you decide. (Click to view pdf.)   ... Read More

Outsourcing your DPO: Questions to ask

As the deadline for the implementation of the GDPR nears, many if not most companies outside those early starters have not yet filled their DPO role as required under the new regulation. There are essential job skills and appropriated profession to fill such roles, as discussed in earlier articles on the topic. With the limited quantities of qualified and experienced DPOs insufficient to meet the market demand, there will be a hurried rush to reserve any available resources for dedicated use. Fo... Read More

How to contract with your outsourced DPO

Organizations that find themselves in need of a data protection officer under the EU General Data Protection Regulation will need to decide on whether to staff it internally or outsource it, whether it is a full-time or part-time position, and whether the DPO will handle their responsibilities hands-on or by mentoring, overseeing, or training others. If an organization has decided on outsourcing the DPO role and selected its DPO based on their skills for the role, an agreement must be reached on... Read More

Outsourcing your DPO: real-life scenarios

If you're contracting with an outsourced DPO, there are plenty of boxes to check during the hiring process. But once completed, the DPO will have a list of their own to conquer. Here are some things to consider. Once the necessary data protection officer skills are identified, the specific DPO is chosen, and the DPO services contract agreed upon with the controller/processor, the DPO can begin to undertake the tasks specified under Article 39 of the GDPR. In performing the outsourced DPO role, ... Read More

Top 10 operational impacts of the GDPR: Part 2 - The mandatory DPO

The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non... Read More

Where should the DPO sit within your organization?

Privacy works best when the right person is in the right place, at the right time, asking the right questions. That's according to Microsoft CPO Brendon Lynch, CIPP/US, who spoke in Brussels recently alongside Accenture Senior Director of Data Privacy Florian Thoma, FIP, CIPM, CIPP/E, CIPP/US. But where is the right place for the new mandatory DPO, required under the GDPR, to sit? The DPO's role, in part, will be to communicate with and be a representative of a company's or public entity's data ... Read More

With mandatory DPOs looming, answering business FAQs: Part one

You all know the deadline by now. The EU’s General Data Protection Regulation will apply from 25 May 2018. This means that organizations must have implemented all the requirements it imposes by that date. Your to-do list is long, the deadline is tight, and team capabilities are limited. The appointment of privacy officers is also part of the to-do list, if your processing falls under the criteria. According to the latest IAPP study based on conservative assumptions, we will need at least 24,000... Read More

How to 'industrialize' the data protection officer role

As most companies operating in Europe should by now be aware, there will from May 2018 be a requirement for many firms to have a data protection officer. For small companies that nonetheless handle a lot of personal data, the sensible option may be to bring in an external DPO. There's likely to be a flurry of activity in the next couple of years, and one privacy professional who's definitely looking forward to the shake-up is Xavier Leclerc, the vice-president of the French association of data ... Read More

Study: GDPR’s global reach to require at least 75,000 DPOs worldwide

The EU’s General Data Protection Regulation will take effect in May 2018. Under its own terms, the Regulation governs the privacy practices of any company handling EU citizens’ data, whether or not that company is located in the EU. Because the EU’s 28 member states together represent the world’s largest economy and the top trading partner for 80 countries, many companies around the globe buy and sell goods to EU citizens and are thus subject to the GDPR. One of the GDPR’s requirements is that ... Read More

GDPR conundrums: Clarity needed on the DPO requirement

In this second post in a series on conundrums within the EU General Data Protection Regulation, Morrison & Foerster’s Lokke Moerel writes about one of the most debated and amended provisions: the data protection officer requirement. Moerel looks at the final version in the context of the current Data Protection Directive and previous iterations, determining there is a great need for some clear guidance — particularly around terms such as “large-scale” data processing and “core activities.” M... Read More

Here's what it takes to be a certified DPO in Spain

The Spanish data protection authority is the first in Europe to set up regulations for data protection officer certification schemes. The rules explain in detail what someone will need to demonstrate and do in order to become a DPO in the country. The EU General Data Protection Regulation, which will come into effect in May next year, mandates that companies engaging in large-scale monitoring of people, or handling a significant amount of sensitive personal data, will need to appoint a DPO. The... Read More

How do the DPO and EU representative interplay?

The GDPR applies to controllers and processors that process personal data of individuals in the EU, regardless of where the organization is established in the world. Those organizations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance. The GDPR also requires a data protection officer under some circumstances, and makes the role voluntary otherwise, and the Article 29 Working Party recommends the DPO be lo... Read More

Why should a data protection officer be global?

The General Data Protection Regulation introduces a general EU-wide obligation to appoint a formal data protection officers. This role is responsible for overseeing the data protection (or privacy) management programs within data controllers or data processors' companies in order to satisfy regulators and assure that organizations remain in compliance with GDPR over time. Even though varying jurisdictions around the world don't mandate a DPO, it can only play well for your companies' DPO role t... Read More

Determining the reporting line of the DPO

The role attributed to the data protection officer is one manifestation of the accountability principle of the General Data Protection Regulation. As such, the GDPR requires that the DPO exercises its functions independently and that he or she “shall directly report to the highest management level,” (Art. 38(3)). The regulation does not provide any guidance on the type of reporting line that needs to be established in order to satisfy this requirement. Nor have the Article 29 Working Party or d... Read More

The EU Representative

Article 27 of the GDPR requires companies not established in the EU, but that monitor or process the personal data of people within the EU, to appoint an EU-based representative to act as their Europe-facing point of contact for individuals and local data protection authorities. 

Top 10 Operational Responses to the GDPR - Part 10: Communicating with supervisory authorities

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation. This final installment in the 10-part series addresses why and h... Read More

How do the DPO and EU representative interplay?

The GDPR applies to controllers and processors that process personal data of individuals in the EU, regardless of where the organization is established in the world. Those organizations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance. The GDPR also requires a data protection officer under some circumstances, and the Article 29 Working Party recommends the DPO be located within the EU. What is this EU rep... Read More

Is Article 27 the GDPR's 'hidden obligation'?

As we approach the last few weeks before ‘GDPR Day’ (if I keep calling it that, it’ll catch on…), almost all companies know at least something about the EU General Data Protection Regulation, even if it’s just that they don’t yet know enough! Statistics tell us that few companies will be 100 percent ready, but that almost all companies are now somewhere along their GDPR journey. At least that’s what is happening in the EU. Outside of the Union, where the GDPR does apply to companies processing ... Read More

Cross-Border Data Transfer

The GDPR permits personal data transfers to a third country or international organization subject to compliance with set conditions, including conditions for onward transfer. Similar to the framework set forth in the Directive, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances. Important distinctions between the GDPR and the Directive bear noting, however. In particular for the use of BCRs and standard contractual clauses.

IAPP-OneTrust EU Data Transfer Kit

The IAPP and OneTrust have partnered to provide a complimentary online platform to help organizations assess their readiness to meet the requirements of the GDPR, Privacy Shield, and Binding Corporate Rules for Processors and Controllers (BCR). Read More

What’s in the WP29 update on transfers to third countries?

The Article 29 Working Party has released an update to Chapter 1 of its working document on transfers of personal data to third countries. The new document is designed to bring the Working Party’s guidance to the European Commission on “the adequate level of data protection” up-to-date in light of the General Data Protection Regulation and recent case law from the Court of Justice of the European Union.  The working paper is open for comment until Jan. 17, 2018. The final version will reflect t... Read More

Top 10 operational impacts of the GDPR: Part 4 - Cross-border data transfers

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Podcast: Ustaran discusses complying with GDPR, why the Privacy Shield will make it

In this episode of The Privacy Advisor Podcast, Eduardo Ustaran, CIPP/E, discusses the most pressing issues facing privacy pros today. He offers tips on the first steps privacy pros should take toward complying with the GDPR and says, when it comes to cross-border data transfers, he thinks the Privacy Shield is going to hold up to EU regulators' scrutiny. For new privacy pros, he offers this advice: "Be prepared to learn, because you're never going to stop learning ... and there's an importance ... Read More

GDPR conundrums: Data transfer

The data transfer regime for processors does not make sense and requires clarification Under the GDPR, certain provisions become directly applicable to EU processors, including the data transfer requirements. Article 46 of the GDPR provides that controllers and processors may only transfer personal data to third countries that do not provide for an adequate protection (non-adequate countries), if the controller or processor has provided "adequate safeguards," and on condition that individuals a... Read More

Certifications, Seals and Marks under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms

The Center for Information Policy Leadership produced this paper as part of its project (CIPL GDPR Project) on the consistent interpretation and implementation of the GDPR. In this paper, CIPL aims to provide the WP29, the EU Commission and data privacy practitioners with input on certifications, seals and marks under the GDPR and the roles of these instruments as accountability tools and cross-border data transfer mechanisms. The paper intends to facilitate the development of certifications, se... Read More

The Privacy Shield: What U.S. multinational employers need to know to enjoy the benefits of the newest EU-U.S. data transfer mechanism

Since the European Court of Justice declared invalid, on October 6, 2015, the Safe Harbor agreement between the U.S. Department of Commerce and the European Commission for the transfer of personal data, hundreds of U.S. multinationals have been struggling to find an alternative while waiting hopefully for the Safe Harbor’s replacement. The Privacy Shield, effective as of July 12, 2016, may provide the alternative these organizations have been seeking. For U.S. multinationals that relied on the S... Read More

Privacy by Design and Default

Hands-On Guide to GDPR Compliance

IAPP_Hands-On-GDPR

“There are six words in the General Data Protection Regulation (GDPR) which has triggered a paradigm shift in how privacy compliance is dealt with by EU organisations. The GDPR mandates that an organisation must practice ‘data protection by design, by default’. What this means is that every organisation must weave privacy-thinking into its DNA. Hence, the paradigm shift has expanded privacy compliance out of the legal office into business operations. This book, although containing some ‘legal-speak’, it is rationed. The book is targeted at non-legal professionals who need to work out how to make this work in practice.”
Purchase Now

Engineering Privacy by Design Reloaded

In this paper, Seda Gürses, Princeton University; Carmela Troncoso, Gradiant; and Claudia Diaz, COSIC/iMinds, Dept. of Electrical Engineering, KU Leuven, summarize their initial conceptualization  of how experts apply data minimization strategies. Specifically, based on a study of existing privacy preserving systems, they first elaborate on the design strategies hidden behind the term data minimization, offering a preliminary description of the activities that a privacy engineer performs to appl... Read More

Check or Mate? Strategic Privacy by Design

This IAPP white paper by Enterprivacy Consulting Group's Jason Cronk attempts to contrast two approaches to privacy by design, the all-too-common PIA- based PbD approach and the proactive — or what I’m calling strategic — PbD approach. Read More

PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design

Sponsored by OneTrust Given the new and challenging requirements of the GDPR that will be enacted soon, companies and organizations doing business globally need to think hard about how to best implement efficient and effective data handling practices that are replicable and consistent. Beyond that, taking good care of your customers' data is simply a necessary business practice in a competitive world, and the right thing to do. As a privacy professional responsible for overseeing these operati... Read More

Privacy by Design - The 7 Foundational Principles

This document, authored by former Information and Privacy Commissioner of Ontario Ann Cavoukian, provides readers with additional information, clarification and guidance on applying the seven foundational principles of privacy by design. This guidance is intended to serve as a reference framework and may be used for developing more detailed criteria for application and audit/verification purposes.View PDF (128 KB)... Read More

Data Protection Impact Assessments

Article 33 requires DPIAs for processing operations that present specific risks to data subjects and includes a description of what information DPIAs should contain. Article 33(3) indicates DPIAs should contain a systematic description of the envisaged processing operations, an assessment of the necessity, proportionality, and risks, the measures to address the risks, safeguards to ensure protection of personal data, demonstrated compliance with the regulation and a requirement to take into account the rights, freedoms, and legitimate interests of data subjects.

Article 33(2) cites examples of specific risks to data subjects: “a systematic and extensive evaluation of personal aspects relating to a natural person,” which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual.

Article 9(1) further specifies special categories of personal data to include data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation shall be prohibited.

WP29 Guidelines on Data Protection Impact Assessment

The Article 29 Working Party has adopted "Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679" clarifying requirements of the EU GDPR. (October 2017)Read Now (PDF 1.13M)... Read More

How will the GDPR's DPIA requirement affect you?

You may be all too familiar with your organization’s change-management process, the regular steps of review being used, and maybe even the exact wording of its requirements — some of which may have remained unchanged for years. Up until now, the focus of change management has been centered on the interests of the organization, naturally. But now, thanks to the General Data Protection Regulation, companies will not only have to account for privacy and security measures for themselves, but also fo... Read More

IAPP-OneTrust PIA & DPIA Automation

The IAPP and OneTrust have partnered to help organizations across the globe simplify their privacy impact assessments. Through enterprise-grade automation, flexibility and customization, this tool provides a seamless experience to both the privacy office and business users throughout your organization.

Read More

AvePoint Privacy Impact Assessment System - Free Download

The AvePoint Privacy Impact Assessment (APIA) System can help you automate the process of evaluating, assessing and reporting on the privacy implications of your enterprise IT systems. Exclusively available through the IAPP, the APIA System allows you to select questions from the prepopulated bank of PIA questions or create your own, meaning you can build and save PIA templates to be reused and reported out.

Read More

PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design

Sponsored by OneTrust Given the new and challenging requirements of the GDPR that will be enacted soon, companies and organizations doing business globally need to think hard about how to best implement efficient and effective data handling practices that are replicable and consistent. Beyond that, taking good care of your customers' data is simply a necessary business practice in a competitive world, and the right thing to do. As a privacy professional responsible for overseeing these operati... Read More

An Agile Approach to PIAs and Privacy by Design

Privacy. Security. Risk. 2016 Andrew Clearwater, CIPP/US, Director, Privacy, OneTrust; Chad Quayle, CIPT, Senior Privacy Manager, Cox Communications; Cynthia Van Ort, CIPM, CIPP/C, CIPP/US, FIP, Director, Privacy Head of NAM, LATAM and Mexico, CPO North America, Citigroup, Inc. Agile method is an approach to project management. This method is often employed to organize teams in responding to the unpredictability of software development. The methodology uses frequent incremental work sequences ... Read More

Sample DPIA Template

This template, published by the U.K. Information Commissioner's Office, offers an example recording the process and outcomes of a DPIA. It is meant as a complement to the ICO's DPIA guidance and the Criteria for an acceptable DPIA set out in European guidelines on DPIAs.View PDF (106 KB)... Read More

How to approach DPIAs under the GDPR

The guiding principles of the General Data Protection Regulation stimulate organizations to address the issue of compliance with an approach based on continuous risk assessment. The correct implementation of a GDPR compliance model obliges organizations to review the bureaucratic and paper-based approach adopted so far, especially in Italy, to monitor the issue of privacy and to arrive at a concept of accountability. Technological innovation continually proposes new tools for an increasingly c... Read More

A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation

This paper, published by Springer, examines the GDPR's data protection impact assessment provisions in detail and examines ways for their successful implementation. It proposes a process which operationalizes established requirements ensuring the appropriate attention to fundamental rights as warranted by the GDPR, incorporates the legislation’s new requirements and can be adapted to suit the controller’s needs.View PDF (1.8 MB)... Read More

Vendor Management

Articles 24, 28, 29 and 46 of the GDPR lay out specific responsibilities for companies when managing processor relationships. 

Top 10 operational impacts of the GDPR: Part 7 - Vendor Management

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Data-processing agreements from 30,000 feet

“Processing by a processor shall be governed by a contract or other legal act…” (Article 28, GDPR) Commonly referred to as a “data processing agreement” this type of contract governs the relationship between a controller, a processor, and the data being processed. These contracts can come in many forms, but the EU General Data Protection Regulation now in effect, more and more organizations will be updating their vendor contracts to include a data processing agreement, or a data processing... Read More

Example: GDPR Addendum

Marketo released this GDPR Addendum as a supplemental for existing marketing automation services agreements with Marketo customers. The addendum sets out the terms that apply when personal data is processed by Marketo.View PDF (2.3 MB)... Read More

Territorial Scope

The extra-territorial scope of the GDPR has many companies outside the EU wondering whether they will need to comply. The law states: 

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union;
  2. or the monitoring of their behaviour as far as their behaviour takes place within the Union.”

But those terms have brought with them plenty of questions. 

What does territorial scope mean under the GDPR?

Determining an organization’s applicability under the General Data Protection Regulation is a complex topic, and many are left a bit confused  while researching applicability under the monumental regulation. Oftentimes, there’s conflicting information as to whether it applies to a specific organization. The expansive coverage of the GDPR by itself can intimidating, but, by breaking down the fundamentals into smaller, more manageable sections, we can start making better decisions on its applicabi... Read More

Will the GDPR impact you? 4 hypothetical scenarios to help you understand

When the EU General Data Protection Regulation comes into force next May, companies will have had two years to prepare and map out implementation. While some may be well ahead of the game, many others are still left wondering whether regulations will even apply to them. Recent surveys show these companies are not alone. A recent survey by the Institute of Directors’ indicates that four out of ten of respondents did not know if the GDPR will impact their company. Does the GDPR even apply to you... Read More

Security

Article 32 of the GDPR outlines steps organizations must take to properly secure personal information. Terms like “state of the art,” “cost of implementation,” “appropriate to the risk” leave room for interpretation. The following resources can help shine some light on how to keep your security practices on the right side of the GDPR.

Security of Personal Data

In this guide, France's data protection authority, the CNIL, lists basic precautions that should be implemented systematically throughout French organizations to best be prepared for GDPR and the security of their customers personal data.Read Now (PDF 1.02MB)... Read More

IAPP-OneTrust Research: Bridging ISO 27001 to GDPR

Privacy is hot. Security knows the feeling. Much as the move to digital products and services necessitated a new profession of information security, so too has the move to personalized products and services created a new profession of privacy professionals. However, while the two professions often work together, they have long worked differently. Security has traditionally worked in binary states: access or no access. Privacy has traditionally worked along a spectrum that’s context dependent.... Read More

Implementing appropriate security under the GDPR

The EU General Data Protection is finally here, and things like data mapping, data protection impact assessment, consent management, and data subject rights have been on everyone’s minds leading up to its arrival. While these operational requirements are obvious for many companies, some others have flown under the radar. One in particular that we have received questions about from our customers at OneTrust is the requirement for appropriate security. Security of processing Security of processi... Read More

Technical Requirements of the GDPR

The purpose of this white paper from PrivacyCheq is to list in detail all the technological requirements mandated by the new General Data Protection Regulation with regard to providing notice and managing consent. Read More

Understanding data processors’ ISO and SOC 2 credentials for GDPR compliance

The European Union General Data Protection Regulation puts significant new responsibilities and liabilities on data controllers regarding their use of third-party processors. Data controllers will face increased requirements to understand and contractually stipulate the policies and procedures of their processors in accordance with the GDPR. In an effort to simplify procurement and review, controllers and processors alike are likely to look towards existing privacy and security certifications as... Read More

For Processors

The GDPR distinguishes between data controllers and data processors, each with their own set of responsibilities. While controllers bear the bulk of compliance burden, processors have new requirements that also require guidance.

Processor compliance with the GDPR: A 101

The General Data Protection Regulation expands the scope of enforcement to include a number of companies that are not based in the EU, but regularly do business with EU data subjects. The GDPR's expanded scope not only affects those businesses, but also the businesses that provide processing services to them. Those processors should be prepared to assure their business partners that they take data protection seriously. The General Data Protection Regulation expands the scope of its enforcement ... Read More

Individuals' rights

Under the GDPR, individuals have new rights and controls over their data. These rights include notification of processing; data access and correction; the right to object to and restrict data processing; data portability; the right to erasure; and rights related to automated decision making.

Consent

Under the GDPR, consent is a lawful basis to transfer personal data; however, the definition of consent is significantly restricted. The GDPR requires data subjects to signal agreement by “a statement or a clear affirmative action.” Recital 32 clarifies this further, stating that affirmative action may include ticking a box on a website, “choosing technical settings for information society services,” or “another statement or conduct” that clearly indicates assent to the processing. “Silence, pre-ticked boxes or inactivity,” however, is presumed inadequate to confer consent. For organizations, that may mean making operational changes in the way you gain consent. 

The UX Guide to Getting Consent

The GDPR requires organizations to give notice to data subjects about how their data is being collected, used, shared and destroyed, but offers nothing in the way of how to do that. Create with Context and the IAPP built this handy guide to getting consent under the GDPR, combining a look into how users interact with the digital interfaces and an analysis of the text. Read More

Practical tips for consent under the GDPR

The increased consent requirements under the GDPR have been a hot topic lately, due to the Article 29 Working Party’s recently issued draft guidelines on consent, and as May 25 approaches, questions about how to comply with these requirements are pouring in at OneTrust. In this post, we will provide some practical tips to data controllers for meeting the GDPR’s stringent consent requirements, and how to put consent management into practice. Identify your processing activities First, if your or... Read More

Top 10 operational impacts of the GDPR: Part 3 – consent

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Are all these GDPR-consent emails even necessary?

In what appears to be panic mode, thousands of companies are pinging mailing lists to get affirmative opt-in consent from data subjects, ostensibly to comply with the EU General Data Protection Regulation. In particular, companies that don’t have clear documentation about how they acquired consent in the first place — perhaps they inherited or bought their mailing list — are asking users to click the all-important “I agree” button. But this “re-consent everyone” approach could be overkill, and a... Read More

Breach notification

The GDPR requires organizations to report certain breaches of personal information to supervisory authorities within 72 hours of becoming aware of them. For those with high risk to individuals, organizations must notify individuals without undue delay as well. In the IAPP’s Getting to GDPR Compliance: Risk Evaluation and Strategies for Mitigation survey, respondents rated failing to prepare for data breach notification as the number one compliance risk under GDPR. 

ICO Guidance: Personal data breaches

This guidance from the U.K. Information Commissioner’s Office outlines breach notification requirements under the EU General Data Protection Regulation, including what information needs to be included in a notification, and when organizations need to notify supervisory authorities and those affected. Read Now... Read More

Data breach notification form - Luxembourg

The Luxembourg data protection authority has provided this form, in English and French, to assist organizations in reporting data breaches to the authority in compliance with the EU General Data Protection Regulation. Download English language form (.xls) Download French language form (.xls)... Read More

Top 10 Operational Responses to the GDPR – Part 8: Data breach and the GDPR

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation.  This eighth installment in the 10-part series explores how the ... Read More

Record-keeping

Article 30 of the GDPR requires controllers, processors and their representatives (where applicable) to maintain records of their data processing activities. These records must also be made available to supervisory authorities upon request.

Framework for Demonstrable GDPR Compliance

Nymity Research has identified 39 articles under the GDPR that require evidence of a technical or organizational measure to demonstrate compliance and has mapped these to the Nymity Privacy Management Accountability Framework. The result is the identification of 55 “primary” technical and organizational measures that, if implemented, may produce documentation that will help demonstrate ongoing compliance with your GDPR compliance obligations. The document also identifies additional technical and... Read More

Top 10 Operational Responses to the GDPR – Part 5: Preparing and implementing data-retention and record-keeping policies and systems

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation. This fifth installment in the 10-part series addresses the impor... Read More

Guide to GDPR Documentation

The U.K. Information Commissioner's Office released this guide to GDPR Documentation. Included is information, checklists and templates to help organizations in their processing and documentation in relation to GDPR compliance efforts.View PDF (1.75 MB)... Read More

Record of Processing Activities Template

The Belgian Data Protection Authority and Privacy Commission published this template that organizations can use to record their data processing activities. The template is not an official document. However, it does provide organizations with an example of what the commission is expecting to see in terms of record keeping and helps shed some light on the issue of practical implementation of the GDPR. (August 2017)Read Now... Read More

Enforcement and the Complaint Process

More than any new substantive right or complex procedure, the new GDPR measure most likely to draw attention from the C-suite is the provision on penalties and fines. In a stark departure from previous privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levy remarkably steep fines in amounts exceeding 20 million euros or four percent of annual global turnover, whichever is higher.

Top 10 operational impacts of the GDPR: Part 10 - Consequences for GDPR Violations

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

GDPR Complaint-Process Map

The General Data Protection Regulation is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each Member State and will lead to a greater degree of data protection harmonization across EU nations. The GDPR empowers data subjects to seek judicial relief for damages and file administrative complaints with supervisory authorities. The GDPR’s consistency mechanisms – encouraging supervisory authorities to cooperate and agree on infringeme... Read More

Is it possible to choose your lead supervisory authority under the GDPR?

The General Data Protection Regulation regulates cross-border processing of personal data. For many organizations, identifying their lead supervisory authority (LSA), the principal EU regulator responsible for enforcement of the GDPR in relation to cross border processing, will be straightforward. For others, with data decision-makers in various parts of the EU or with decision-making power regarding data taken outside of the EU but processing data affecting individuals in multiple Member States... Read More

Implementation and derogations

While a main goal of the GDPR is the harmonization of data protection law throughout the EU, member states will create their own laws implementing the provisions. In some cases, the GDPR offers the ability for provisions to be interpreted differently from nation to nation. 

The Race to GDPR: A Study of Companies in the United States & Europe

More than 1,000 companies in the United States and European Union are represented in this study conducted by The Ponemon Institute and sponsored by McDermott Will and Emery LLP. Participants in this research work in a variety of departments including IT, IT security, compliance, legal, data protection office and privacy. Ninety percent of respondents say their company is subject to GDPR and 10 percent are unsure. Almost half of companies represented in this research will not meet the May 25 dead... Read More

What the GDPR Requires of and Leaves to the Member States

This IAPP white paper is divided broadly into two sections: The first explores the legislative actions that the GDPR requires member states to take, while the second examines the optional powers and authority available to them to carve out exceptions for or to clarify the GDPR’s rules. This distinction is derived from the division between what the member states “shall” and “may” do within the articles of the GDPR. These cover such areas as the processing of sensitive data; data processing in the... Read More

Derogations and special conditions

Bird & Bird offers an overview of special conditions in the EU General Data Protection Regulation, where member states may (or are required to) implement supplemental laws. The guidance also includes a check list to help controllers ensure compliance.Read Now (PDF 163KB)... Read More

Other Analysis and Opinion

The GDPR and You

In order to provide clear guidance and a practical starting point, the Irish Data Protection Commissioner has compiled this checklist to assist Irish organization in achieving full compliance with the EU General Data Protection Regulation. Read Now (PDF 278K)... Read More

Risk and high risk: Walking the GDPR tightrope

One of the most important developments in privacy and security law over the last decade has been the increased focus on risk as a touchstone for regulation. The “risk principle” is the idea that organizations that process and use personal data should devote more resources to the activities that raise the most significant threats, and that the law should promote a nuanced approach rather than imposing one-size-fits-all regulation. The EU’s General Data Protection Regulation adopts the risk princ... Read More

How GDPR changes the rules for research

The General Data Protection Regulation (GDPR) will come into effect in the spring of 2018, replacing the Data Protection Directive 95/46/EC and imposing new obligations on organizations that process the personal data of European Union residents. While the Regulation aims to bolster privacy rights, it arrives as a centerpiece of the EU Digital Single Market, an initiative designed to boost digital innovation within the EU. By harmonizing privacy legislation across the EU member states and carvin... Read More

Is it possible to choose your lead supervisory authority under the GDPR?

The General Data Protection Regulation regulates cross-border processing of personal data. For many organizations, identifying their lead supervisory authority (LSA), the principal EU regulator responsible for enforcement of the GDPR in relation to cross border processing, will be straightforward. For others, with data decision-makers in various parts of the EU or with decision-making power regarding data taken outside of the EU but processing data affecting individuals in multiple Member States... Read More

The Making of the GDPR

A brief history of the General Data Protection Regulation

    On 28 January 2016: The 47 countries of the Council of Europe as well as European institutions, agencies and bodies celebrated the 10th annual European Data Protection Day which marks the anniversary of the Council of Europe's Convention 108. The series of events dedicated to this anniversary included a conference co-hosted by the European Parliament and the European Data Protection Supervisor for EU officials on the EU data protection reform. On 21 December 2015: The European Commission ... Read More

Unravelling the Mysteries of the GDPR Trilogues

In recent days, "trilogue" seems to be the buzz word on everyone's lips, following the adoption by the Council of Ministers of the European Union of the General Data Protection Regulation (GDPR) in a first reading on 11 June. But what exactly is a "trilogue"? What is the meaning of this obscure concept that only exists under European Union law? Following my previous article on the EU's ordinary legislative procedure, I will try through this article to unravel the mysteries of the trilogue by exp... Read More