EU General Data Protection Regulation

Image

In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation, first proposed in 2012, and as of May 25, 2018, it is in effect.

The GDPR offers a framework for data protection with increased obligations for organizations, and its reach is far and wide. It is applicable to any organization — no matter where it resides — that intentionally offers goods or services to the European Union, or that monitors the behavior of individuals within the EU.

This page is regularly updated with relevant resources to help organizations and individuals determine how the GDPR affects them.

Subscribe to the IAPP Europe Data Protection Digest e-newsletter!
Be in-the-know on EU privacy news (think the GDPR, Privacy Shield, and the PNR Directive, to name a few) by subscribing to the Europe Data Protection Digest e-newsletter.

Featured Resources

GDPR at Five

Policymakers, companies, and regulators have zeroed in on the importance of privacy to businesses, citizens, and societies. These statistics point to the GDPR’s tangible impact since becoming applicable in 2018.
Read More

Ireland DPC’s data transfers decision

With the DPC fining Meta 1.2 billion euros, this article takes stock of the decision in terms of the orders it contains but also the political history that helped the DPC arrive at its final ruling.
Read More

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more.
Read More


Latest News and Resources

Using sensitive data to prevent AI discrimination: Does the EU GDPR need a new exception?

Organizations can use artificial intelligence to make decisions about people for a variety of reasons, such as selecting the best candidates from many job applications. However, AI systems can have discriminatory effects when used for decision making. For example, an AI system could reject applications of people with a certain ethnicity, even though the organization did not plan such discrimination. In Europe, an organization can run into a problem when assessing whether its AI system accidenta... Read More

Are EU AI Act sandboxes viable without GDPR waivers for experimentation?

The proposed EU Artificial Intelligence Act is anticipated to pave the way for a regulated approach to the future development of artificial intelligence. One means of testing new AI technologies is through regulatory sandboxes created by various data protection authorities around Europe. To explore how AI regulatory sandboxes are helping companies develop their machine-learning models, IAPP Managing Director, Europe, Isabelle Roccia hosted a Linkedin Live session Dec. 12 with Secure Practice co... Read More

FPF: Regulatory Strategies of European Data Protection Authorities
(Future of Privacy Forum, February 2023)
Meta’s EU data transfer case faces Article 65 dispute resolution mechanism
(IAPP, January 2023)
Breaking down enforcement of Meta’s legal basis for personalized ads
(IAPP, January 2023)
Web Conference: How to Gear Your Privacy Team Up for the FTC’s Priorities and GDPR Developments
(IAPP, September 2022)
UK DPDI Bill: Comparative analysis with the EU GDPR and ePrivacy framework
(IAPP, July 2022)
Proposed EU AI Act blurs lines between AI developers and data processors under GDPR
(IAPP, July 2022)
Sanctions under EU GDPR and recent data regulations: A case of double jeopardy?
(IAPP, July 2022)
Record of processing activities — Are you ready for maturity?
(IAPP, June 2022)
A look behind the EDPB’s move to enhance enforcement cooperation
(IAPP, May 2022)
Consent as legal basis for EU and UK employment
(IAPP, May 2022)
CJEU ruling on GDPR litigation builds ‘jurisprudence on data protection’
(IAPP, May 2022)
ICO GDPR Guidance: Special Category Data
(UK ICO, April 2022)
GDPR’s One-Stop-Shop Cross-Border Complaint Statistics (2018-2021)
(Irish DPC, March 2022)
Dodging the one-stop shop
(IAPP, February 2022)
A survey of the impact of GDPR and its effect on organisations in Ireland
(Mazars and McCann Fitzgerald, January 2022)
CNIL – GDPR Guide for Developers
(CNIL, December 2021)
How GDPR Affected Procurement Function and Practitioners
(Dr. Taoufik Samaka, November 2021)
Would anyone in their right mind reopen the GDPR? The IAF’s answer is yes.
(IAPP, August 2021)
Web Conference: #MeToo vs. GDPR: Investigating Sexual Misconduct by EU Employees
(IAPP, July 2021)
Web Conference: Code of Conduct Under GDPR: Alignment, Interoperability and Potentials
(IAPP, June 2021)
LinkedIn Live: ‘The GDPR at 3: The Law’s Tangible Impacts Around the Globe’
(IAPP, June 2021)
3 years in, GDPR highlights privacy in global landscape
(IAPP, May 2021)
GDPR basics: DPOs explained for digital health companies
(Chini.io, May 2021)
GDPR for Marketing: 2021 Guide
(Super Office, May 2021)
Federal Constitutional Court: CJEU must clarify whether GDPR provides materiality threshold
(IAPP, February 2021)
DLA Piper GDPR Data Breach Survey 2021
(DLA Piper, January 2021)
Encrypt your data to make GDPR and Russian Data Localization Law compatible
(IAPP, December 2020)
Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws
(IAPP, September 2020)
Privacy pros say GDPR dispute-resolution trigger ‘no surprise’
(IAPP, August 2020)
Irish DPC: GDPR regulatory activities report
(Irish DPC, June 2020)
Bird & Bird Guide to the General Data Protection Regulation
(Bird & Bird, May 2020)
Web Conference: The Impact of CCPA and GDPR on Data Management
(IAPP, May 2020)
GDPR’s second anniversary: A cause for celebration — and concern
(IAPP, May 2020)
The GDPR at Two: Expert Perspectives
(IAPP, May 2020)
White Paper – DPAs on the Ground
(IAPP, April 2020)
How SaaS providers are preparing for GDPR
(EnterpriseReady, March 2020)
Why Blockchain is not inherently at odds with GDPR
(Lokke Moerel and Marijn Storm, February 2020)
What you must know about ‘third parties’ under GDPR and CCPA
(IAPP, November 2019)
Platform helps organizations take deep dives into GDPR, CCPA
(IAPP, October 2019)
How to ‘background check’ under the GDPR
(IAPP, October 2019)
GDPR and CCPA: A compatibility story
(IAPP, October 2019)
Guide​ ​for​ ​multi-controller​ ​situations​ ​under​ ​the​ ​GDPR
(Gerrish Legal, September 2019)
How pharmacists can comply with GDPR
(The Pharmaceutical Journal, August 2019)
The tension between GDPR and the rise of blockchain technologies
(CMS, July 2019)
Publicly available data under the GDPR: Main considerations
(IAPP, May 2019)
GDPR one year later: Looking backward and forward
(IAPP, May 2019)
White Paper – GDPR at One Year: What We Heard from Leading European Regulators
(IAPP, May 2019)
Want Europe to have the best AI? Reform the GDPR
(IAPP, May 2019)
GDPR – A new age for data protection
(IAPP, May 2019)
IBM White Paper: Blockchain and GDPR
(IBM, May 2019)
GDPR One Year Anniversary – Infographic
(IAPP, May 2019)
Web Conference: GDPR for Dummies — Lessons From the Last 12 Months
(IAPP, May 2019)
Global recall: How the GDPR impacts product recalls
(IAPP, March 2019)
Privacy professionals begin to look back at year one of the GDPR
(IAPP, March 2019)
Recap: EDPB’s first-year review of GDPR
(IAPP, March 2019)
Op-ed: Encrypted data may still be personal under GDPR
(IAPP, March 2019)
GDPR Enforcement Priorities
(IAPP, April 2018)
Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation
(Data Protection Network, April 2018)
The General Data Protection Regulation Matchup Series
(IAPP, May 2017)
GDPR Awareness Guide
(IAPP, January 2017)
View More Resources

Law and Official Guidance

Article 29 Working Party and European Data Protection Board Guidance

The Article 29 Working Party, a group including representatives from data protection authorities of all EU member states, published guidance to clarify certain provisions of the GDPR. With the enactment of the GDPR came a new advisory body, the European Data Protection Board, or EDPB, which has now replaced the WP29 in creating data protection guidance. Find all guidance from both bodies here.

All of the European Data Protection Board and Article 29 Working Party guidelines, opinions, and documents

From the European Data Protection Board (EDPB) Upon enactment of the EU General Data Protection Regulation, May 25, 2018, the European Data Protection Board replaced the WP29. EDPB General Guidance All EDPB Documents GDPR: Guidelines, Recommendations, Best Practices Public Consultations Consistency Findings Other documents From the Article 29 Data Protection Working Party The WP29 was an advisory body made up of representatives from the data protection authorities of each EU member stat... Read More

Data Protection Impact Assessments

EU Member State DPIA Whitelists, Blacklists and Guidance

Data protection authorities of many EU member states have published draft lists of data processing activities that would trigger the need for a data protection impact assessment in that country. The European Data Protection Board weighed in on the drafts, you can find its opinions here. And IAPP Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has written an analysis of the opinions here. IAPP extern Darya Balybina, CIPP/E, CIPP/US, CIPM has written an analysis, "What is and what isn't subject t... Read More

What's subject to a DPIA under the GDPR? EDPB on draft lists of 22 supervisory authorities

Under the European Data Protection Regulation, data protection impact assessments are required when data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Exactly what “high risk” entails, however, has been a difficult question to answer. Article 35.3 of the GDPR provides a non-exhaustive list of examples of data processing activities that require DPIAs. The Article 29 Working Party Guidelines on DPIAs also offer help in identifying when DPIAs are nec... Read More

How to approach DPIAs under the GDPR

The guiding principles of the EU General Data Protection Regulation stimulate organizations to address the issue of compliance with an approach based on continuous risk assessment. The most appropriate response to support the profound changes required by the GDPR is the implementation of a privacy management model (or privacy management system), adopted to guarantee the company is in compliance with voluntary certification schemes or compliance with mandatory regulations. One of the "engines" of... Read More

Web Conference: PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design

Original broadcast date: August 24, 2016 Join us in this virtual discussion as we walk you through the process of creating a PIA, and hear us tackle the critical questions including, when and why a PIA is a necessary and useful tool, how PIAs evolve over time, what templates should you use, or should you use a template at all, what resources are at your disposal, how to continue to benchmark and improve your PIA over time, and once you've completed a PIA, how do you share its value with upper management and others in the organization among others. Read More

Infographic: What triggers a DPIA under the GDPR?

Published: July 2018Click To View (PDF)Click To View (PNG) The IAPP has created this infographic to help you determine what kinds of activities are more likely to trigger a mandatory data protection impact assessment under the EU General Data Protection Regulation. Print it out for a quick reference when determining how to move forward with a business activity that involves personal information of individuals in the EU. ... Read More

Data Transfers, Processing and Retention

Proposed EU AI Act blurs lines between AI developers and data processors under GDPR

The proposed EU Artificial Intelligence Act and its intersections with the EU General Data Protection Regulation could present compliance issues for data compliance officers across the continent, according to IAPP Senior Westin Research Fellow Jetty Tielemans. The AI Act has some similarities with the Digital Services Act and the Digital Markets Act regarding how they clarify the GDPR, Tielemans said during a recent IAPP LinkedIn Live. However, she explained the AI Act differs in that "sensitiv... Read More

Record of processing activities — Are you ready for maturity?

Let’s be honest — back in 2018, when the EU General Data Protection Regulation was enforced in Europe, most companies were in a rush to comply by the due date. There were many reasons for that, typical of significant changes in laws and regulation: difficulties to convince senior executives of the importance early enough, time necessary to size and scope a program and obtain a decent budget, lack of internal skills and knowledge, and lack of clarity on the requirements. In a nutshell, organizati... Read More

CNIL publishes guidance on data processing roles under EU GDPR

France’s data protection authority, the Commission nationale de l'informatique et des libertés, published guidance on the identification of a “controller,” “subcontractor,” and “joint principal” under the EU General Data Protection Regulation. Each role influences “the nature and extent of their responsibilities” regarding data, the CNIL said, and each must be identified “as soon as possible.” The CNIL said the guidance includes details on legal criteria, qualifications to consider and more.Full... Read More

Filling in the blanks: What is the transfer of personal data and when will Chapter V obligations be applicable?

On Nov. 18, the European Data Protection Board adopted draft guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the EU General Data Protection Regulation. The draft guidelines are open to public consultation until the end of January. GDPR regulates transfers of data: But what is a transfer? Chapter V of the GDPR sets out rules for the transfer of personal data to third countries or international organizatio... Read More

Data Transfers from the EU: Will derogations save the day?

Original Broadcast Date: March 2021 In this Linkedin Live, IAPP Vice President and Chief Knowledge Officer Omer Tene and Bird & Bird International Privacy and Data Protection Group Co-head Ruth Boardman discuss the opportunities and challenges around Article 49 of the EU General Data Protection Regulation. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More

DPOs and EU Representatives

DPO Report Template

This slide deck created by the IAPP research team offers a customizable template for a report to organizational leadership to help Data Protection Officers show the activities of the data protection team as well as record compliance with the General Data Protection Regulation. Read More

GDPR Appointment of Data Protection Officer Letter

This toolkit from TermsFeed outlines whether organizations need to comply with the EU General Data Protection Regulation, especially regarding the appointment of a data protection officer. They explain the role of the DPO, how to determine whether you need one, and how to put together a compliant Appointment of Data Protection Officer Letter.  Click To View ... Read More

How to Provide DPO Contact Information to Your DPA

Last Updated: April 2021 Article 37(7) of the EU General Data Protection Regulation requires that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” But how does one go about communicating this information to relevant authority? Is there a formal process, or can companies simply send an email with a DPO’s name, phone number and email address? As it turns out, different jurisdictions have settled... Read More

Does the recent fine for a Canadian website without an EU representative signal a change in GDPR enforcement priorities?

The role of representative under the EU General Data Protection Regulation remains one of the lesser-known obligations under the GDPR — it has been referred to as a "hidden obligation."  The problem is this obligation applies to companies with no EU establishment, which likely refers to small and medium-sized business enterprises and companies that may still be in the early stages of growth. They are less likely to pay for a quality privacy consultant to inform them they need an EU representati... Read More

Enforcement and Complaints

Top 10 operational impacts of the GDPR: Part 10 - Consequences for GDPR Violations

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

What the DPC-Meta decision tells us about the EU GDPR dispute resolution mechanism

Enforcement of the EU General Data Protection Regulation started with a bang Jan. 4 as Ireland's Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram. The decisions focused on Meta subsidiaries’ use of contract as a legal basis for its personalized advertising model and led to steep 390 million euro fines for the company’s household brands. You can take a look at the IAPP’s initial reporting and our refresher of the GDPR’s six legal bases for per... Read More

Breaking down enforcement of Meta’s legal basis for personalized ads

Last week, Ireland's Data Protection Commission fined Meta 390 million euros — 210 million euros against Facebook and 180 million euros against Instagram. In its decision, the DPC announced the platforms’ basis for seeking user permission to collect data for personalized advertising is invalid and gave the company three months to bring data processing operations into compliance with the EU General Data Protection Regulation. Notably, the decision that Meta’s contract-based request for personali... Read More

Irish DPC fines Meta 390M euros over legal basis for personalized ads

The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU. The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into complian... Read More

Sanctions under EU GDPR and recent data regulations: A case of double jeopardy?

The European Union is on the verge of adopting a series of regulations that will affect how data is collected and shared in the EU. These include the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Artificial Intelligence Act and the Data Act. These acts do not focus on personal data — in fact, European lawmakers continuously stress that the main aim of these acts is to regulate nonpersonal data. But these acts also do not exempt personal data from their scope of appl... Read More

EDPB issues Article 65 decision on CNIL fine
(IAPP, August 2022)
10 years after: The EU’s ‘crunch time’ on GDPR enforcement
(IAPP, June 2022)
Authorities collaborate on EU GDPR investigation
(IAPP, June 2022)
A look behind the EDPB’s move to enhance enforcement cooperation
(IAPP, May 2022)
CJEU ruling on GDPR litigation builds ‘jurisprudence on data protection’
(IAPP, May 2022)
GDPR’s One-Stop-Shop Cross-Border Complaint Statistics (2018-2021)
(Irish DPC, March 2022)
Dodging the one-stop shop
(IAPP, February 2022)
GDPR Complaint-Process Map
(IAPP)
CIPL Discussion Paper: GDPR Enforcement Cooperation and the One-Stop-Shop Learning from the First Three Years
(CIPL, August 2021)
A Guide to GDPR Compliant Call Recordings
(Semafone, January 2021)
Bloomberg Law: Lessons Learned from Key GDPR Enforcement Cases
(Bloomberg Law, August 2020)
What US companies can learn from GDPR enforcement
(IAPP, June 2020)
Legal analysts expect UK GDPR fines to be delayed again
(IAPP, May 2020)
The Privacy Advisor Podcast: GDPR-based class actions on the rise
(IAPP, May 2020)
GDPR ushers in civil litigation claims across the EU
(IAPP, March 2020)
Brave files GDPR complaint against Google
(IAPP, March 2020)
With hefty GDPR fines, a new industry emerges
(IAPP, July 2019)
Two major GDPR complaints: A close-up
(IAPP, May 2019)
Why you should pay close attention to the Polish DPA’s first GDPR fine
(IAPP, April 2019)
First GDPR fine in Portugal issued against hospital for three violations
(IAPP, January 2019)
What’s a GDPR complaint? No one really knows
(IAPP, August 2018)
Cease processing orders under GDPR: How the Irish DPA views enforcement
(IAPP, August 2018)
Is it possible to choose your lead supervisory authority under the GDPR?
(IAPP, November 2017)
View More Resources

Implementation, derogations and territorial scope

Article 49 Derogations — Summary Table with Examples

There are specific recitals that relate to the derogations in Article 49, as well as detailed guidance from the EDPB. Before attempting to rely on the derogations, organizations need to be aware of these additional considerations. This table summarizes this material so readers can see at a glance the factors relevant for each derogation. Read More

Comparing the role of the DPO under the GDPR and Turkish law

Appointment of a data privacy officer is regulated in detail under the EU General Data Protection Regulation. Mandatory DPO appointment is imposed under certain circumstances, and legal requirements are determined for the DPO role in terms of qualification as well as authorization. Under the Law on Protection of Personal Data numbered 6698 in Turkey, there is no legal requirement to appoint a DPO for data controllers, but there is a role introduced for the purposes of fulfilling the data control... Read More

Data Transfers from the EU: Will derogations save the day?

Original Broadcast Date: March 2021 In this Linkedin Live, IAPP Vice President and Chief Knowledge Officer Omer Tene and Bird & Bird International Privacy and Data Protection Group Co-head Ruth Boardman discuss the opportunities and challenges around Article 49 of the EU General Data Protection Regulation. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More

Individuals' rights and Consent

White Paper – The UX Guide to Getting Consent

(December 2017) – The GDPR requires organizations to give notice to data subjects about how their data is being collected, used, shared and destroyed, but offers nothing in the way of how to do that. Create with Context and the IAPP built this handy guide to getting consent under the GDPR, combining a look into how users interact with the digital interfaces and an analysis of the text. Read More

Top 10 operational impacts of the GDPR: Part 3 – consent

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Just say yes: GDPR consent is not as simple as it seems

The concept of consent as included in the EU General Data Protection Regulation seems to have stumped many organizations. They seem to be under the mistaken impression that they are no longer allowed to process personal data without asking consent for everything they do. Recently, the Greek Data Protection Authority issued a 150,000 euro fine against PricewaterhouseCoopers for the wrongful use of consent as a legal basis for processing its employees’ personal data. Under the GDPR, consent shoul... Read More

In life sciences research, 'informed consent' isn't enough

The recently issued European Data Protection Board Opinion 3/2019 stipulates that “informed consent” from clinical trial participants for life science research purposes typically does not satisfy requirements for consent as a legal basis for processing personal data under the EU General Data Protection Regulation. There has been strong disappointment voiced within the life sciences community by those who believe that “informed consent” necessary to comply with EU member state clinical trial laws... Read More

Practical tips for consent under the GDPR

The increased consent requirements under the GDPR have been a hot topic lately, due to the Article 29 Working Party’s recently issued draft guidelines on consent, and as 25 May approaches, questions about how to comply with these requirements are pouring in at OneTrust. In this exclusive for The Privacy Advisor, OneTrust’s Andrew Clearwater, CIPP/US, and Brian Philbrook, CIPP/E, CIPP/US, CIPM, CIPT, FIP, provide some practical tips for data controllers on meeting the GDPR’s stringent consent req... Read More

Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence
(Aarhus University, Massachusetts Institute of Technology and University College, London, January 2020)
“(Un)informed Consent: Studying GDPR Consent Notices in the
Field”
(Ruhr-Universität Bochum, August 2019)
How to comply with the right to erasure (if you haven’t already!)
(IAPP, August 2018)
Are all these GDPR-consent emails even necessary?
(IAPP, May 2018)
View More Resources

Privacy Programs and Compliance

eBook – Top 10 operational responses to the GDPR

Published: March 2018Click To View (PDF) In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Part 1: Data inventory and mapping Part 2: L... Read More

Top 10 operational impacts of the GDPR: Part 7 - Vendor Management

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Hands-On Guide to GDPR Compliance

Authors: Karen Lawrence Öqvist, Filip JohnssénPurchase PrintPurchase Digital “There are six words in the General Data Protection Regulation (GDPR) which has triggered a paradigm shift in how privacy compliance is dealt with by EU organisations. The GDPR mandates that an organisation must practice ‘data protection by design, by default’. What this means is that every organisation must weave privacy-thinking into its DNA. Hence, the paradigm shift has expanded privacy compliance out of the lega... Read More

Security and Breach Notifications

Is the EDPB’s ‘targeted update’ to data breach reporting guidance a ‘mini-budget’ moment for GDPR regulation?

You would have had to be living under a rock to have missed all the political turmoil in the U.K. over the past few weeks concerning the U.K. government’s “mini-budget.” In essence, even the staunchest government allies now accept it was a mistake to make changes to the U.K. tax system without fully thinking through the consequences of those changes, resulting in the need to make a series of embarrassing political U-turns. The government’s ill-advised changes should be a cautionary tale for the... Read More

Implementing appropriate security under the GDPR

The EU General Data Protection is finally here, and things like data mapping, data protection impact assessment, consent management, and data subject rights have been on everyone’s minds leading up to its arrival. While these operational requirements are obvious for many companies, some others have flown under the radar. One in particular that we have received questions about from our customers at OneTrust is the requirement for appropriate security. Security of processing Security of processi... Read More

Understanding data processors’ ISO and SOC 2 credentials for GDPR compliance

The European Union General Data Protection Regulation puts significant new responsibilities and liabilities on data controllers regarding their use of third-party processors. Data controllers will face increased requirements to understand and contractually stipulate the policies and procedures of their processors in accordance with the GDPR. In an effort to simplify procurement and review, controllers and processors alike are likely to look towards existing privacy and security certifications as... Read More

White Paper – IAPP-OneTrust Research: Bridging ISO 27001 to GDPR

(March 2018) – The IAPP and OneTrust have undertaken the task of mapping the most common security operations standard, ISO’s 27001, to the world’s most influential piece of privacy legislation, the GDPR, so as to create a framework for understanding just how closely they align and how much of the work toward GDPR compliance that security has likely already done. With this research project, we have identified six main areas of common ground that should help every organization align their security and privacy operations in a way that will create efficiencies and, hopefully, reduce the risk of a damaging incident while increasing productivity and customer trust. Read More

The Making of the GDPR

A brief history of the General Data Protection Regulation (1981-2016)

Last Updated: February 2016 On 28 January 2016: The 47 countries of the Council of Europe as well as European institutions, agencies and bodies celebrated the 10th annual European Data Protection Day which marks the anniversary of the Council of Europe's Convention 108. The series of events dedicated to this anniversary included a conference co-hosted by the European Parliament and the European Data Protection Supervisor for EU officials on the EU data protection reform. On 21 December 2015:... Read More

Unravelling the Mysteries of the GDPR Trilogues

In recent days, "trilogue" seems to be the buzz word on everyone's lips, following the adoption by the Council of Ministers of the European Union of the General Data Protection Regulation (GDPR) in a first reading on 11 June. But what exactly is a "trilogue"? What is the meaning of this obscure concept that only exists under European Union law? Following my previous article on the EU's ordinary legislative procedure, I will try through this article to unravel the mysteries of the trilogue by exp... Read More