EU General Data Protection Regulation

Image

In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation, first proposed in 2012, and as of May 25, 2018, it is in effect.

The GDPR offers a framework for data protection with increased obligations for organizations, and its reach is far and wide. It is applicable to any organization — no matter where it resides — that intentionally offers goods or services to the European Union, or that monitors the behavior of individuals within the EU.

This topic page is regularly updated with relevant documents and expert analysis to help organizations determine how the GDPR affects them.

Subscribe to the IAPP Europe Data Protection Digest e-newsletter!
Be in-the-know on EU privacy news (think the GDPR, Privacy Shield, and the PNR Directive, to name a few) by subscribing to the Europe Data Protection Digest e-newsletter.

Featured Resources

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more.
Read More

GDPR sanctions and recent regulations: double jeopardy?

New EU data regulation proposals leaves the potential for double enforcement of violations under any of these new rules and the GDPR. This article explains the developing situation and what it might look like when competent authorities for these laws need to collaborate.
Read More

GDPR Code of Conduct

Given the recent approval of the EU Cloud CoC as the first transnational code of conduct under the GDPR, our distinguished panel will give an overview of the trajectory that led to this milestone.
Read More


Latest News and Resources

Proposed EU AI Act blurs lines between AI developers and data processors under GDPR

The proposed EU Artificial Intelligence Act and its intersections with the EU General Data Protection Regulation could present compliance issues for data compliance officers across the continent, according to IAPP Senior Westin Research Fellow Jetty Tielemans. The AI Act has some similarities with the Digital Services Act and the Digital Markets Act regarding how they clarify the GDPR, Tielemans said during a recent IAPP LinkedIn Live. However, she explained the AI Act differs in that "sensitiv... Read More

Record of processing activities — Are you ready for maturity?

Let’s be honest — back in 2018, when the EU General Data Protection Regulation was enforced in Europe, most companies were in a rush to comply by the due date. There were many reasons for that, typical of significant changes in laws and regulation: difficulties to convince senior executives of the importance early enough, time necessary to size and scope a program and obtain a decent budget, lack of internal skills and knowledge, and lack of clarity on the requirements. In a nutshell, organizati... Read More

A look behind the EDPB's move to enhance enforcement cooperation

As the EU General Data Protection Regulation celebrates its fourth anniversary since going into effect May 25, 2018, enforcement of the world's most comprehensive data protection regulation is still evolving.  No doubt, data protection authorities in the EU have been busy during the last four years. European Data Protection Board Chair Andrea Jelinek, who also serves as head of Austria's DPA, recently noted the EDPB has "invested a great deal of resources in the interpretation and consistent ap... Read More

Consent as legal basis for EU and UK employment
(IAPP, May 2022)
CJEU ruling on GDPR litigation builds ‘jurisprudence on data protection’
(IAPP, May 2022)
ICO GDPR Guidance: Special Category Data
(UK ICO, April 2022)
GDPR’s One-Stop-Shop Cross-Border Complaint Statistics (2018-2021)
(Irish DPC, March 2022)
Dodging the one-stop shop
(IAPP, February 2022)
A survey of the impact of GDPR and its effect on organisations in Ireland
(Mazars and McCann Fitzgerald, January 2022)
CNIL – GDPR Guide for Developers
(CNIL, December 2021)
How GDPR Affected Procurement Function and Practitioners
(Dr. Taoufik Samaka, November 2021)
Would anyone in their right mind reopen the GDPR? The IAF’s answer is yes.
(IAPP, August 2021)
FPF: Regulatory Strategies of European Data Protection Authorities
(Future of Privacy Forum, July 2021)
LinkedIn Live: ‘The GDPR at 3: The Law’s Tangible Impacts Around the Globe’
(IAPP, June 2021)
GDPR at Three
(IAPP, May 2021)
3 years in, GDPR highlights privacy in global landscape
(IAPP, May 2021)
GDPR basics: DPOs explained for digital health companies
(Chini.io, May 2021)
GDPR for Marketing: 2021 Guide
(Super Office, May 2021)
Federal Constitutional Court: CJEU must clarify whether GDPR provides materiality threshold
(IAPP, February 2021)
DLA Piper GDPR Data Breach Survey 2021
(DLA Piper, January 2021)
Encrypt your data to make GDPR and Russian Data Localization Law compatible
(IAPP, December 2020)
Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws
(IAPP, September 2020)
Privacy pros say GDPR dispute-resolution trigger ‘no surprise’
(IAPP, August 2020)
Irish DPC: GDPR regulatory activities report
(Irish DPC, June 2020)
Bird & Bird Guide to the General Data Protection Regulation
(Bird & Bird, May 2020)
Web Conference: The Impact of CCPA and GDPR on Data Management
(IAPP, May 2020)
GDPR’s second anniversary: A cause for celebration — and concern
(IAPP, May 2020)
The GDPR at Two: Expert Perspectives
(IAPP, May 2020)
White Paper – DPAs on the Ground
(IAPP, April 2020)
How SaaS providers are preparing for GDPR
(EnterpriseReady, March 2020)
Why Blockchain is not inherently at odds with GDPR
(Lokke Moerel and Marijn Storm, February 2020)
What you must know about ‘third parties’ under GDPR and CCPA
(IAPP, November 2019)
Platform helps organizations take deep dives into GDPR, CCPA
(IAPP, October 2019)
How to ‘background check’ under the GDPR
(IAPP, October 2019)
GDPR and CCPA: A compatibility story
(IAPP, October 2019)
Guide​ ​for​ ​multi-controller​ ​situations​ ​under​ ​the​ ​GDPR
(Gerrish Legal, September 2019)
How pharmacists can comply with GDPR
(The Pharmaceutical Journal, August 2019)
The tension between GDPR and the rise of blockchain technologies
(CMS, July 2019)
Publicly available data under the GDPR: Main considerations
(IAPP, May 2019)
GDPR one year later: Looking backward and forward
(IAPP, May 2019)
White Paper – GDPR at One Year: What We Heard from Leading European Regulators
(IAPP, May 2019)
Want Europe to have the best AI? Reform the GDPR
(IAPP, May 2019)
GDPR – A new age for data protection
(IAPP, May 2019)
IBM White Paper: Blockchain and GDPR
(IBM, May 2019)
GDPR One Year Anniversary – Infographic
(IAPP, May 2019)
Web Conference: GDPR for Dummies — Lessons From the Last 12 Months
(IAPP, May 2019)
Global recall: How the GDPR impacts product recalls
(IAPP, March 2019)
Privacy professionals begin to look back at year one of the GDPR
(IAPP, March 2019)
Recap: EDPB’s first-year review of GDPR
(IAPP, March 2019)
Op-ed: Encrypted data may still be personal under GDPR
(IAPP, March 2019)
GDPR Enforcement Priorities
(IAPP, April 2018)
Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation
(Data Protection Network, April 2018)
The General Data Protection Regulation Matchup Series
(IAPP, May 2017)
GDPR Awareness Guide
(IAPP, January 2017)
View More Resources

Law and Official Guidance

Article 29 Working Party and European Data Protection Board Guidance

The Article 29 Working Party, a group including representatives from data protection authorities of all EU member states, published guidance to clarify certain provisions of the GDPR. With the enactment of the GDPR came a new advisory body, the European Data Protection Board, or EDPB, which has now replaced the WP29 in creating data protection guidance. Find all guidance from both bodies here.

All of the European Data Protection Board and Article 29 Working Party guidelines, opinions, and documents

From the European Data Protection Board (EDPB) Upon enactment of the EU General Data Protection Regulation, May 25, 2018, the European Data Protection Board replaced the WP29. EDPB General Guidance All EDPB Documents GDPR: Guidelines, Recommendations, Best Practices Public Consultations Consistency Findings Other documents From the Article 29 Data Protection Working Party The WP29 was an advisory body made up of representatives from the data protection authorities of each EU member stat... Read More

COVID-19 and GDPR

The GDPR Catch-22 in the Dutch COVID-19 contact-tracing app

Last week, the Dutch Parliament voted in favor of an amendment to a bill regulating use of the Dutch COVID-19 contact-tracing application, which would improve the privacy of users of the app, while at the same time sidelining the EU General Data Protection Regulation. The amendment, which prohibits anybody from linking the data processed on the app’s backend server to the identity of the user, was a follow-up to a recommendation I suggested in my second opinion on the app’s data protection impa... Read More

GDPR enforcement amid COVID-19: Will DPAs be 'strong' enough?

The COVID-19 pandemic has affected both EU data protection authorities and the organizations they oversee, finding themselves in uncharted territory. DPAs have been left to choose how they'll go about handling their enforcement work in an unparalleled time of hardship and technological uptake for companies — all while the pressure's on for critics who say DPA's enforcement of the EU General Data Protection Regulation has been weak to date. Where DPAs stand on enforcement DPAs from France, Germ... Read More

Is it necessary to suspend GDPR in the fight against COVID-19?

Over the last few months, we have seen organizations impose various obligations on their employees, visitors and customers to combat the spread of COVID-19. The underlying measures first began with completed health questionnaires, moved to requiring temperature checks of people entering buildings, along with the installation of thermal cameras at office entrances, and now there are regular blood tests for employees whose presence is essential for business continuity. How did the Hungarian gover... Read More

Hungary halts some GDPR rights amid COVID-19

Euractiv reports the Hungarian government intends to suspend certain rights and protections provided by the EU General Data Protection Regulation until the COVID-19 outbreak subsides. Under the new measures, citizens will see a pause on their right to data access and erasure, while any legal actions pertaining to alleged GDPR violations will also be delayed. Opposition politician Bernadett Szél plans to challenge the suspension of rights in the Constitutional Court of Hungary, claiming that "res... Read More

Data Protection Impact Assessments

EU Member State DPIA Whitelists, Blacklists and Guidance

Data protection authorities of many EU member states have published draft lists of data processing activities that would trigger the need for a data protection impact assessment in that country. The European Data Protection Board weighed in on the drafts, you can find its opinions here. And IAPP Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has written an analysis of the opinions here. IAPP extern Darya Balybina, CIPP/E, CIPP/US, CIPM has written an analysis, "What is and what isn't subject t... Read More

What's subject to a DPIA under the GDPR? EDPB on draft lists of 22 supervisory authorities

Under the European Data Protection Regulation, data protection impact assessments are required when data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Exactly what “high risk” entails, however, has been a difficult question to answer. Article 35.3 of the GDPR provides a non-exhaustive list of examples of data processing activities that require DPIAs. The Article 29 Working Party Guidelines on DPIAs also offer help in identifying when DPIAs are nec... Read More

How to approach DPIAs under the GDPR

The guiding principles of the EU General Data Protection Regulation stimulate organizations to address the issue of compliance with an approach based on continuous risk assessment. The most appropriate response to support the profound changes required by the GDPR is the implementation of a privacy management model (or privacy management system), adopted to guarantee the company is in compliance with voluntary certification schemes or compliance with mandatory regulations. One of the "engines" of... Read More

Web Conference: PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design

Original broadcast date: August 24, 2016 Join us in this virtual discussion as we walk you through the process of creating a PIA, and hear us tackle the critical questions including, when and why a PIA is a necessary and useful tool, how PIAs evolve over time, what templates should you use, or should you use a template at all, what resources are at your disposal, how to continue to benchmark and improve your PIA over time, and once you've completed a PIA, how do you share its value with upper management and others in the organization among others. Read More

Infographic: What triggers a DPIA under the GDPR?

Published: July 2018Click To View (PDF)Click To View (PNG) The IAPP has created this infographic to help you determine what kinds of activities are more likely to trigger a mandatory data protection impact assessment under the EU General Data Protection Regulation. Print it out for a quick reference when determining how to move forward with a business activity that involves personal information of individuals in the EU. ... Read More

Data Transfers, Processing and Retention

Proposed EU AI Act blurs lines between AI developers and data processors under GDPR

The proposed EU Artificial Intelligence Act and its intersections with the EU General Data Protection Regulation could present compliance issues for data compliance officers across the continent, according to IAPP Senior Westin Research Fellow Jetty Tielemans. The AI Act has some similarities with the Digital Services Act and the Digital Markets Act regarding how they clarify the GDPR, Tielemans said during a recent IAPP LinkedIn Live. However, she explained the AI Act differs in that "sensitiv... Read More

Record of processing activities — Are you ready for maturity?

Let’s be honest — back in 2018, when the EU General Data Protection Regulation was enforced in Europe, most companies were in a rush to comply by the due date. There were many reasons for that, typical of significant changes in laws and regulation: difficulties to convince senior executives of the importance early enough, time necessary to size and scope a program and obtain a decent budget, lack of internal skills and knowledge, and lack of clarity on the requirements. In a nutshell, organizati... Read More

CNIL publishes guidance on data processing roles under EU GDPR

France’s data protection authority, the Commission nationale de l'informatique et des libertés, published guidance on the identification of a “controller,” “subcontractor,” and “joint principal” under the EU General Data Protection Regulation. Each role influences “the nature and extent of their responsibilities” regarding data, the CNIL said, and each must be identified “as soon as possible.” The CNIL said the guidance includes details on legal criteria, qualifications to consider and more.Full... Read More

Filling in the blanks: What is the transfer of personal data and when will Chapter V obligations be applicable?

On Nov. 18, the European Data Protection Board adopted draft guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the EU General Data Protection Regulation. The draft guidelines are open to public consultation until the end of January. GDPR regulates transfers of data: But what is a transfer? Chapter V of the GDPR sets out rules for the transfer of personal data to third countries or international organizatio... Read More

LinkedIn Live: 'Data Transfers from the EU: Will derogations save the day?'

Published: March 2021 In this Linkedin Live, IAPP Vice President and Chief Knowledge Officer Omer Tene and Bird & Bird International Privacy and Data Protection Group Co-Head Ruth Boardman discuss the opportunities and challenges around Article 49 of the EU General Data Protection Regulation. To view this video on LinkedIn, click here. To access all IAPP LinkedIn Live videos, click here. Access the IAPP's LinkedIn profile here.... Read More

DPOs and EU Representatives

DPO Handbook: Data Protection Officers Under the GDPR, 2nd Edition

Author: Thomas Shaw, CIPP/E, CIPP/USPurchase PrintPurchase Digital DPO Handbook: Data Protection Officers Under the GDPR, Second Edition provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s new General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset. The book then describes in detail the vari... Read More

DPO Report Template

This slide deck created by the IAPP research team offers a customizable template for a report to organizational leadership to help Data Protection Officers show the activities of the data protection team as well as record compliance with the General Data Protection Regulation. Read More

GDPR Appointment of Data Protection Officer Letter

This toolkit from TermsFeed outlines whether organizations need to comply with the EU General Data Protection Regulation, especially regarding the appointment of a data protection officer. They explain the role of the DPO, how to determine whether you need one, and how to put together a compliant Appointment of Data Protection Officer Letter.  Click To View ... Read More

How to Provide DPO Contact Information to Your DPA

Last Updated: April 30, 2021 Article 37(7) of the EU General Data Protection Regulation requires that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” But how does one go about communicating this information to relevant authority? Is there a formal process, or can companies simply send an email with a DPO’s name, phone number and email address? As it turns out, different jurisdictions have set... Read More

Does the recent fine for a Canadian website without an EU representative signal a change in GDPR enforcement priorities?

The role of representative under the EU General Data Protection Regulation remains one of the lesser-known obligations under the GDPR — it has been referred to as a "hidden obligation."  The problem is this obligation applies to companies with no EU establishment, which likely refers to small and medium-sized business enterprises and companies that may still be in the early stages of growth. They are less likely to pay for a quality privacy consultant to inform them they need an EU representati... Read More

Enforcement and Complaints

Top 10 operational impacts of the GDPR: Part 10 - Consequences for GDPR Violations

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

EDPB issues Article 65 decision on CNIL fine

The European Data Protection Board issued a binding decision under the EU General Data Protection Regulation's Article 65 dispute resolution mechanism related to a 600,000 euro fine handed down by France's data protection authority, the Commission nationale de l’informatique et des libertes. The Article 65 procedure was triggered by concerned supervisory authorities' issues with the proposed sum of the CNIL fine. The violation by French hotel chain Accor stemmed from alleged nonconsensual distri... Read More

Sanctions under EU GDPR and recent data regulations: A case of double jeopardy?

The European Union is on the verge of adopting a series of regulations that will affect how data is collected and shared in the EU. These include the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Artificial Intelligence Act and the Data Act. These acts do not focus on personal data — in fact, European lawmakers continuously stress that the main aim of these acts is to regulate nonpersonal data. But these acts also do not exempt personal data from their scope of appl... Read More

10 years after: The EU's 'crunch time' on GDPR enforcement

EU General Data Protection Regulation enforcement was at the center of a conference last week organized by the European Data Protection Supervisor. Stakeholders pointed out several structural problems within the GDPR’s architecture and potential ways to address them. "Some of you might ask: 'why is the EDPS organizing this conference?' There is a path we can follow to finally deliver what was started 10 years ago, in January 2012, when the GDPR proposal was announced," said the EDPS Wojciech Wi... Read More

Authorities collaborate on EU GDPR investigation

Authorities from France, Lithuania, the Netherlands and Poland, with support from the European Data Protection Board, are jointly investigating potential EU General Data Protection Regulation violations by Vinted, the parent company of Lithuanian clothing website Vinted.com. Following a “significant number of complaints,” the authorities formed a working group to explore Vinted’s data storage related to data subjects' rights, as well as personal data processing related to blocking users’ account... Read More

A look behind the EDPB’s move to enhance enforcement cooperation
(IAPP, May 2022)
CJEU ruling on GDPR litigation builds ‘jurisprudence on data protection’
(IAPP, May 2022)
GDPR’s One-Stop-Shop Cross-Border Complaint Statistics (2018-2021)
(Irish DPC, March 2022)
Dodging the one-stop shop
(IAPP, February 2022)
GDPR Complaint-Process Map
(IAPP)
CIPL Discussion Paper: GDPR Enforcement Cooperation and the One-Stop-Shop Learning from the First Three Years
(CIPL, August 2021)
A Guide to GDPR Compliant Call Recordings
(Semafone, January 2021)
Bloomberg Law: Lessons Learned from Key GDPR Enforcement Cases
(Bloomberg Law, August 2020)
What US companies can learn from GDPR enforcement
(IAPP, June 2020)
Legal analysts expect UK GDPR fines to be delayed again
(IAPP, May 2020)
The Privacy Advisor Podcast: GDPR-based class actions on the rise
(IAPP, May 2020)
GDPR ushers in civil litigation claims across the EU
(IAPP, March 2020)
Brave files GDPR complaint against Google
(IAPP, March 2020)
With hefty GDPR fines, a new industry emerges
(IAPP, July 2019)
Two major GDPR complaints: A close-up
(IAPP, May 2019)
Why you should pay close attention to the Polish DPA’s first GDPR fine
(IAPP, April 2019)
First GDPR fine in Portugal issued against hospital for three violations
(IAPP, January 2019)
What’s a GDPR complaint? No one really knows
(IAPP, August 2018)
Cease processing orders under GDPR: How the Irish DPA views enforcement
(IAPP, August 2018)
Is it possible to choose your lead supervisory authority under the GDPR?
(IAPP, November 2017)
View More Resources

Implementation, derogations and territorial scope

Article 49 Derogations — Summary Table with Examples

There are specific recitals that relate to the derogations in Article 49, as well as detailed guidance from the EDPB. Before attempting to rely on the derogations, organizations need to be aware of these additional considerations. This table summarizes this material so readers can see at a glance the factors relevant for each derogation. Read More

Comparing the role of the DPO under the GDPR and Turkish law

Appointment of a data privacy officer is regulated in detail under the EU General Data Protection Regulation. Mandatory DPO appointment is imposed under certain circumstances, and legal requirements are determined for the DPO role in terms of qualification as well as authorization. Under the Law on Protection of Personal Data numbered 6698 in Turkey, there is no legal requirement to appoint a DPO for data controllers, but there is a role introduced for the purposes of fulfilling the data control... Read More

LinkedIn Live: 'Data Transfers from the EU: Will derogations save the day?'

Published: March 2021 In this Linkedin Live, IAPP Vice President and Chief Knowledge Officer Omer Tene and Bird & Bird International Privacy and Data Protection Group Co-Head Ruth Boardman discuss the opportunities and challenges around Article 49 of the EU General Data Protection Regulation. To view this video on LinkedIn, click here. To access all IAPP LinkedIn Live videos, click here. Access the IAPP's LinkedIn profile here.... Read More

Individuals' rights and Consent

White Paper – The UX Guide to Getting Consent

(December 2017) – The GDPR requires organizations to give notice to data subjects about how their data is being collected, used, shared and destroyed, but offers nothing in the way of how to do that. Create with Context and the IAPP built this handy guide to getting consent under the GDPR, combining a look into how users interact with the digital interfaces and an analysis of the text. Read More

Top 10 operational impacts of the GDPR: Part 3 – consent

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Just say yes: GDPR consent is not as simple as it seems

The concept of consent as included in the EU General Data Protection Regulation seems to have stumped many organizations. They seem to be under the mistaken impression that they are no longer allowed to process personal data without asking consent for everything they do. Recently, the Greek Data Protection Authority issued a 150,000 euro fine against PricewaterhouseCoopers for the wrongful use of consent as a legal basis for processing its employees’ personal data. Under the GDPR, consent shoul... Read More

In life sciences research, 'informed consent' isn't enough

The recently issued European Data Protection Board Opinion 3/2019 stipulates that “informed consent” from clinical trial participants for life science research purposes typically does not satisfy requirements for consent as a legal basis for processing personal data under the EU General Data Protection Regulation. There has been strong disappointment voiced within the life sciences community by those who believe that “informed consent” necessary to comply with EU member state clinical trial laws... Read More

Practical tips for consent under the GDPR

The increased consent requirements under the GDPR have been a hot topic lately, due to the Article 29 Working Party’s recently issued draft guidelines on consent, and as 25 May approaches, questions about how to comply with these requirements are pouring in at OneTrust. In this exclusive for The Privacy Advisor, OneTrust’s Andrew Clearwater, CIPP/US, and Brian Philbrook, CIPP/E, CIPP/US, CIPM, CIPT, FIP, provide some practical tips for data controllers on meeting the GDPR’s stringent consent req... Read More

Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence
(Aarhus University, Massachusetts Institute of Technology and University College, London, January 2020)
“(Un)informed Consent: Studying GDPR Consent Notices in the
Field”
(Ruhr-Universität Bochum, August 2019)
How to comply with the right to erasure (if you haven’t already!)
(IAPP, August 2018)
Are all these GDPR-consent emails even necessary?
(IAPP, May 2018)
View More Resources

Privacy Programs and Compliance

eBook – Top 10 operational responses to the GDPR

Published: March 2018Click To Access In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Part 1: Data inventory and mapping Part 2: Lawfu... Read More

Top 10 operational impacts of the GDPR: Part 7 - Vendor Management

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Hands-On Guide to GDPR Compliance

Authors: Karen Lawrence Öqvist, Filip JohnssénPurchase PrintPurchase Digital “There are six words in the General Data Protection Regulation (GDPR) which has triggered a paradigm shift in how privacy compliance is dealt with by EU organisations. The GDPR mandates that an organisation must practice ‘data protection by design, by default’. What this means is that every organisation must weave privacy-thinking into its DNA. Hence, the paradigm shift has expanded privacy compliance out of the lega... Read More

Security and Breach Notifications

Implementing appropriate security under the GDPR

The EU General Data Protection is finally here, and things like data mapping, data protection impact assessment, consent management, and data subject rights have been on everyone’s minds leading up to its arrival. While these operational requirements are obvious for many companies, some others have flown under the radar. One in particular that we have received questions about from our customers at OneTrust is the requirement for appropriate security. Security of processing Security of processi... Read More

Understanding data processors’ ISO and SOC 2 credentials for GDPR compliance

The European Union General Data Protection Regulation puts significant new responsibilities and liabilities on data controllers regarding their use of third-party processors. Data controllers will face increased requirements to understand and contractually stipulate the policies and procedures of their processors in accordance with the GDPR. In an effort to simplify procurement and review, controllers and processors alike are likely to look towards existing privacy and security certifications as... Read More

White Paper – IAPP-OneTrust Research: Bridging ISO 27001 to GDPR

(March 2018) – The IAPP and OneTrust have undertaken the task of mapping the most common security operations standard, ISO’s 27001, to the world’s most influential piece of privacy legislation, the GDPR, so as to create a framework for understanding just how closely they align and how much of the work toward GDPR compliance that security has likely already done. With this research project, we have identified six main areas of common ground that should help every organization align their security and privacy operations in a way that will create efficiencies and, hopefully, reduce the risk of a damaging incident while increasing productivity and customer trust. Read More

Top 10 Operational Responses to the GDPR – Part 8: Data breach and the GDPR

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation.  This eighth installment in the 10-part series explores how the ... Read More

View More Resources

The Making of the GDPR

A brief history of the General Data Protection Regulation (1981-2016)

Last Updated: February 2016 On 28 January 2016: The 47 countries of the Council of Europe as well as European institutions, agencies and bodies celebrated the 10th annual European Data Protection Day which marks the anniversary of the Council of Europe's Convention 108. The series of events dedicated to this anniversary included a conference co-hosted by the European Parliament and the European Data Protection Supervisor for EU officials on the EU data protection reform. On 21 December 2015:... Read More

Unravelling the Mysteries of the GDPR Trilogues

In recent days, "trilogue" seems to be the buzz word on everyone's lips, following the adoption by the Council of Ministers of the European Union of the General Data Protection Regulation (GDPR) in a first reading on 11 June. But what exactly is a "trilogue"? What is the meaning of this obscure concept that only exists under European Union law? Following my previous article on the EU's ordinary legislative procedure, I will try through this article to unravel the mysteries of the trilogue by exp... Read More