""

 

EU General Data Protection Regulation

EU General Data Protection Regulation

In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation, first proposed in 2012, and as of May 25, 2018, it is in effect.

The GDPR offers a framework for data protection with increased obligations for organizations, and its reach is far and wide. It is applicable to any organization — no matter where it resides — that intentionally offers goods or services to the European Union, or that monitors the behavior of individuals within the EU.

On this topic page, IAPP members will find relevant documents and expert analysis to help organizations determine if and how the GDPR will affect them.

Subscribe to the IAPP Europe Data Protection Digest e-newsletter!
Be in-the-know on EU privacy news (think the GDPR, Privacy Shield, and the PNR Directive, to name a few) by subscribing to the Europe Data Protection Digest e-newsletter.

Featured Resources

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more.
Read More

GDPR Code of Conduct

Given the recent approval of the EU Cloud CoC as the first transnational code of conduct under the GDPR, our distinguished panel will give an overview of the trajectory that led to this milestone.
Read More

GDPR at Three

This infographic reviews the GDPR’s impact over the last three years, with a look at how policymakers, companies and regulators have focused on the privacy space for businesses, citizens and societies.
Read More


""

Latest News and Resources

EDPB agrees to enhance GDPR enforcement cooperation

The European Data Protection Board agreed to enhance enforcement cooperation of the EU General Data Protection Regulation and to expand methods used. “More than ever, strong and swift enforcement is crucial for ensuring a consistent interpretation of the GDPR,” EDPB Chair Andrea Jelinek said, adding cross-border cases of "strategic importance” will be identified yearly with an action plan for cooperation. The EDPB will also identify procedures “that could be further harmonised on EU level to max... Read More

Dodging the one-stop shop

On. Feb. 2, the Belgian Data Protection Authority issued its long-awaited decision against IAB Europe, finding the IAB Europe’s Transparency and Consent Framework in violation of General Data Protection Regulation. The decision has EU-wide impact as the Belgian DPA acted as the "lead DPA" under the one-stop-shop enforcement mechanism of the GDPR. This is noteworthy, as the Belgian DPA (in cases where it does not qualify as the lead DPA), has shown a reluctance on several occasions to apply the o... Read More

Would anyone in their right mind reopen the GDPR? The IAF’s answer is yes.

The Information Accountability Foundation believes the EU General Data Protection Regulation should be amended to explicitly include knowledge creation and scientific research as legal bases to process personal data, providing a foundation for the responsible use of artificial intelligence. The IAF’s blog summarizing its comments on the European Commission’s proposed regulation on artificial intelligence suggested that the GDPR “should make possible technology applications such as AI” and that “... Read More

A survey of the impact of GDPR and its effect on organisations in Ireland
(Mazars and McCann Fitzgerald, January 2022)
How GDPR Affected Procurement Function and Practitioners
(Dr. Taoufik Samaka, November 2021)
ICO GDPR Guidance: Special Category Data
(UK ICO, August 2021)
FPF: Regulatory Strategies of European Data Protection Authorities for 2021-2022
(Future of Privacy Forum, July 2021)
LinkedIn Live: ‘The GDPR at 3: The Law’s Tangible Impacts Around the Globe’
(IAPP, June 2021)
3 years in, GDPR highlights privacy in global landscape
(IAPP, May 2021)
GDPR basics: DPOs explained for digital health companies
(Chini.io, May 2021)
GDPR for Marketing: 2021 Guide
(Super Office, May 2021)
Federal Constitutional Court: CJEU must clarify whether GDPR provides materiality threshold
(IAPP, February 2021)
DLA Piper GDPR Data Breach Survey 2021
(DLA Piper, January 2021)
Encrypt your data to make GDPR and Russian Data Localization Law compatible
(IAPP, December 2020)
Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws
(IAPP, September 2020)
Privacy pros say GDPR dispute-resolution trigger ‘no surprise’
(IAPP, August 2020)
Irish DPC: GDPR regulatory activities report
(Irish DPC, June 2020)
Bird & Bird Guide to the General Data Protection Regulation
(Bird & Bird, May 2020)
Web Conference: The Impact of CCPA and GDPR on Data Management
(IAPP, May 2020)
GDPR’s second anniversary: A cause for celebration — and concern
(IAPP, May 2020)
The GDPR at Two: Expert Perspectives
(IAPP, May 2020)
GDPR 2nd Anniversary Quiz
(IAPP, May 2020)
White Paper – DPAs on the Ground
(IAPP, April 2020)
How SaaS providers are preparing for GDPR
(EnterpriseReady, March 2020)
Why Blockchain is not inherently at odds with GDPR
(Lokke Moerel and Marijn Storm, February 2020)
What you must know about ‘third parties’ under GDPR and CCPA
(IAPP, November 2019)
Platform helps organizations take deep dives into GDPR, CCPA
(IAPP, October 2019)
How to ‘background check’ under the GDPR
(IAPP, October 2019)
GDPR and CCPA: A compatibility story
(IAPP, October 2019)
How pharmacists can comply with GDPR
(The Pharmaceutical Journal, August 2019)
The tension between GDPR and the rise of blockchain technologies
(CMS, July 2019)
Publicly available data under the GDPR: Main considerations
(IAPP, May 2019)
GDPR one year later: Looking backward and forward
(IAPP, May 2019)
White Paper – GDPR at One Year: What We Heard from Leading European Regulators
(IAPP, May 2019)
Want Europe to have the best AI? Reform the GDPR
(IAPP, May 2019)
GDPR – A new age for data protection
(IAPP, May 2019)
IBM White Paper: Blockchain and GDPR
(IBM, May 2019)
GDPR One Year Anniversary – Infographic
(IAPP, May 2019)
Web Conference: GDPR for Dummies — Lessons From the Last 12 Months
(IAPP, May 2019)
Global recall: How the GDPR impacts product recalls
(IAPP, March 2019)
Privacy professionals begin to look back at year one of the GDPR
(IAPP, March 2019)
Recap: EDPB’s first-year review of GDPR
(IAPP, March 2019)
Op-ed: Encrypted data may still be personal under GDPR
(IAPP, March 2019)
Guide​ ​for​ ​multi-controller​ ​situations​ ​under​ ​the​ ​GDPR
(Serkan Kurt, May 2018)
GDPR Enforcement Priorities
(IAPP, April 2018)
Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation
(Data Protection Network, April 2018)
The General Data Protection Regulation Matchup Series
(IAPP, May 2017)
GDPR Awareness Guide
(IAPP, January 2017)
View More Resources

Law and Official Guidance

Article 29 Working Party and European Data Protection Board Guidance

The Article 29 Working Party, a group including representatives from data protection authorities of all EU member states, published guidance to clarify certain provisions of the GDPR. With the enactment of the GDPR came a new advisory body, the European Data Protection Board, or EDPB, which has now replaced the WP29 in creating data protection guidance. Find all guidance from both bodies here.

All of the European Data Protection Board and Article 29 Working Party guidelines, opinions, and documents

From the European Data Protection Board (EDPB) Upon enactment of the EU General Data Protection Regulation, May 25, 2018, the European Data Protection Board replaced the WP29. EDPB General Guidance All EDPB Documents GDPR: Guidelines, Recommendations, Best Practices Public Consultations Consistency Findings Other documents From the Article 29 Data Protection Working Party The WP29 was an advisory body made up of representatives from the data protection authorities of each EU member stat... Read More

COVID-19 and GDPR

The GDPR Catch-22 in the Dutch COVID-19 contact-tracing app

Last week, the Dutch Parliament voted in favor of an amendment to a bill regulating use of the Dutch COVID-19 contact-tracing application, which would improve the privacy of users of the app, while at the same time sidelining the EU General Data Protection Regulation. The amendment, which prohibits anybody from linking the data processed on the app’s backend server to the identity of the user, was a follow-up to a recommendation I suggested in my second opinion on the app’s data protection impa... Read More

GDPR enforcement amid COVID-19: Will DPAs be 'strong' enough?

The COVID-19 pandemic has affected both EU data protection authorities and the organizations they oversee, finding themselves in uncharted territory. DPAs have been left to choose how they'll go about handling their enforcement work in an unparalleled time of hardship and technological uptake for companies — all while the pressure's on for critics who say DPA's enforcement of the EU General Data Protection Regulation has been weak to date. Where DPAs stand on enforcement DPAs from France, Germ... Read More

Is it necessary to suspend GDPR in the fight against COVID-19?

Over the last few months, we have seen organizations impose various obligations on their employees, visitors and customers to combat the spread of COVID-19. The underlying measures first began with completed health questionnaires, moved to requiring temperature checks of people entering buildings, along with the installation of thermal cameras at office entrances, and now there are regular blood tests for employees whose presence is essential for business continuity. How did the Hungarian gover... Read More

Hungary halts some GDPR rights amid COVID-19

Euractiv reports the Hungarian government intends to suspend certain rights and protections provided by the EU General Data Protection Regulation until the COVID-19 outbreak subsides. Under the new measures, citizens will see a pause on their right to data access and erasure, while any legal actions pertaining to alleged GDPR violations will also be delayed. Opposition politician Bernadett Szél plans to challenge the suspension of rights in the Constitutional Court of Hungary, claiming that "res... Read More

Data Protection Impact Assessments

EU Member State DPIA Whitelists, Blacklists and Guidance

Data protection authorities of many EU member states have published draft lists of data processing activities that would trigger the need for a data protection impact assessment in that country. The European Data Protection Board weighed in on the drafts, you can find its opinions here. And IAPP Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has written an analysis of the opinions here. IAPP extern Darya Balybina, CIPP/E, CIPP/US, CIPM has written an analysis, "What is and what isn't subject t... Read More

What's subject to a DPIA under the GDPR? EDPB on draft lists of 22 supervisory authorities

Under the European Data Protection Regulation, data protection impact assessments are required when data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Exactly what “high risk” entails, however, has been a difficult question to answer. Article 35.3 of the GDPR provides a non-exhaustive list of examples of data processing activities that require DPIAs. The Article 29 Working Party Guidelines on DPIAs also offer help in identifying when DPIAs are nec... Read More

How to approach DPIAs under the GDPR

The guiding principles of the EU General Data Protection Regulation stimulate organizations to address the issue of compliance with an approach based on continuous risk assessment. The most appropriate response to support the profound changes required by the GDPR is the implementation of a privacy management model (or privacy management system), adopted to guarantee the company is in compliance with voluntary certification schemes or compliance with mandatory regulations. One of the "engines" of... Read More

Web Conference: PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design

Original broadcast date: August 24, 2016 Join us in this virtual discussion as we walk you through the process of creating a PIA, and hear us tackle the critical questions including, when and why a PIA is a necessary and useful tool, how PIAs evolve over time, what templates should you use, or should you use a template at all, what resources are at your disposal, how to continue to benchmark and improve your PIA over time, and once you've completed a PIA, how do you share its value with upper management and others in the organization among others. Read More

Infographic: What triggers a DPIA under the GDPR?

Published: July 2018 Click To View (PDF) Click To View (PNG) The IAPP has created this infographic to help you determine what kinds of activities are more likely to trigger a mandatory data protection impact assessment under the EU General Data Protection Regulation. Print it out for a quick reference when determining how to move forward with a business activity that involves personal information of individuals in the EU. ... Read More

Data Transfers, Processing and Retention

Filling in the blanks: What is the transfer of personal data and when will Chapter V obligations be applicable?

On Nov. 18, the European Data Protection Board adopted draft guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the EU General Data Protection Regulation. The draft guidelines are open to public consultation until the end of January. GDPR regulates transfers of data: But what is a transfer? Chapter V of the GDPR sets out rules for the transfer of personal data to third countries or international organizatio... Read More

LinkedIn Live: 'Data Transfers from the EU: Will derogations save the day?'

Published: March 2021 In this Linkedin Live, IAPP Vice President and Chief Knowledge Officer Omer Tene and Bird & Bird International Privacy and Data Protection Group Co-Head Ruth Boardman discuss the opportunities and challenges around Article 49 of the EU General Data Protection Regulation. To view this video on LinkedIn, click here. To access all IAPP LinkedIn Live videos, click here. Access the IAPP's LinkedIn profile here.... Read More

The value of investing in well-constructed records of processing activities

The EU General Data Protection Regulation is one of the first privacy laws to impact businesses on a global scale because of its extraterritorial reach to any organization that processes data of EU residents. Among the range of compliance obligations that the GDPR requires of businesses is the major undertaking of creating and maintaining organization-spanning records of processing activities. Whether the GDPR applies to you, the benefits of implementing a ROPA program in your organization are f... Read More

How does GDPR apply to clinical trial sponsors outside EEA? Views of EEA DPAs

While many organizations across the world have acclimatized to life under the EU General Data Protection Regulation, certain industries are still reconciling how it applies to them. In the life sciences sector — particularly in the context of clinical trials — there is a stark variance in the way different stakeholders interpret how the GDPR applies to their data-processing activities. Surprisingly, this variance of interpretation also appears to exist among the relevant data protection authori... Read More

Stuck in the middle with you: When US discovery orders hit GDPR

Civil litigants in the United States have broad rights to information — from each other and from others not involved in the litigation, whether or not they are within the U.S. Other countries often have more limited “discovery” rights and often have confidentiality or privacy laws that restrict sharing information or transferring that information across borders, like the EU General Data Protection Regulation. This often generates conflicts for those who are required by U.S. law to deliver evide... Read More

Top 10 operational impacts of the GDPR: Part 4 - Cross-border data transfers

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

DPOs and EU Representatives

DPO Handbook: Data Protection Officers Under the GDPR, 2nd Edition

Author: Thomas Shaw, CIPP/E, CIPP/US Purchase Print Purchase Digital DPO Handbook: Data Protection Officers Under the GDPR, Second Edition provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s new General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset. The book then describes in detail the ... Read More

DPO Report Template

This slide deck created by the IAPP research team offers a customizable template for a report to organizational leadership to help Data Protection Officers show the activities of the data protection team as well as record compliance with the General Data Protection Regulation. Read More

GDPR Appointment of Data Protection Officer Letter

This toolkit from TermsFeed outlines whether organizations need to comply with the EU General Data Protection Regulation, especially regarding the appointment of a data protection officer. They explain the role of the DPO, how to determine whether you need one, and how to put together a compliant Appointment of Data Protection Officer Letter.  Click To View ... Read More

How to Provide DPO Contact Information to Your DPA

Last Updated: April 30, 2021 Article 37(7) of the EU General Data Protection Regulation requires that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” But how does one go about communicating this information to relevant authority? Is there a formal process, or can companies simply send an email with a DPO’s name, phone number and email address? As it turns out, different jurisdictions have set... Read More

Does the recent fine for a Canadian website without an EU representative signal a change in GDPR enforcement priorities?

The role of representative under the EU General Data Protection Regulation remains one of the lesser-known obligations under the GDPR — it has been referred to as a "hidden obligation."  The problem is this obligation applies to companies with no EU establishment, which likely refers to small and medium-sized business enterprises and companies that may still be in the early stages of growth. They are less likely to pay for a quality privacy consultant to inform them they need an EU representati... Read More

Enforcement and Complaints

Top 10 operational impacts of the GDPR: Part 10 - Consequences for GDPR Violations

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

EDPB agrees to enhance GDPR enforcement cooperation

The European Data Protection Board agreed to enhance enforcement cooperation of the EU General Data Protection Regulation and to expand methods used. “More than ever, strong and swift enforcement is crucial for ensuring a consistent interpretation of the GDPR,” EDPB Chair Andrea Jelinek said, adding cross-border cases of "strategic importance” will be identified yearly with an action plan for cooperation. The EDPB will also identify procedures “that could be further harmonised on EU level to max... Read More

Dodging the one-stop shop

On. Feb. 2, the Belgian Data Protection Authority issued its long-awaited decision against IAB Europe, finding the IAB Europe’s Transparency and Consent Framework in violation of General Data Protection Regulation. The decision has EU-wide impact as the Belgian DPA acted as the "lead DPA" under the one-stop-shop enforcement mechanism of the GDPR. This is noteworthy, as the Belgian DPA (in cases where it does not qualify as the lead DPA), has shown a reluctance on several occasions to apply the o... Read More

Implementation, derogations and territorial scope

Article 49 Derogations — Summary Table with Examples

There are specific recitals that relate to the derogations in Article 49, as well as detailed guidance from the EDPB. Before attempting to rely on the derogations, organizations need to be aware of these additional considerations. This table summarizes this material so readers can see at a glance the factors relevant for each derogation. Read More

Comparing the role of the DPO under the GDPR and Turkish law

Appointment of a data privacy officer is regulated in detail under the EU General Data Protection Regulation. Mandatory DPO appointment is imposed under certain circumstances, and legal requirements are determined for the DPO role in terms of qualification as well as authorization. Under the Law on Protection of Personal Data numbered 6698 in Turkey, there is no legal requirement to appoint a DPO for data controllers, but there is a role introduced for the purposes of fulfilling the data control... Read More

LinkedIn Live: 'Data Transfers from the EU: Will derogations save the day?'

Published: March 2021 In this Linkedin Live, IAPP Vice President and Chief Knowledge Officer Omer Tene and Bird & Bird International Privacy and Data Protection Group Co-Head Ruth Boardman discuss the opportunities and challenges around Article 49 of the EU General Data Protection Regulation. To view this video on LinkedIn, click here. To access all IAPP LinkedIn Live videos, click here. Access the IAPP's LinkedIn profile here.... Read More

Individuals' rights and Consent

White Paper – The UX Guide to Getting Consent

(December 2017) – The GDPR requires organizations to give notice to data subjects about how their data is being collected, used, shared and destroyed, but offers nothing in the way of how to do that. Create with Context and the IAPP built this handy guide to getting consent under the GDPR, combining a look into how users interact with the digital interfaces and an analysis of the text. Read More

Top 10 operational impacts of the GDPR: Part 3 – consent

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Just say yes: GDPR consent is not as simple as it seems

The concept of consent as included in the EU General Data Protection Regulation seems to have stumped many organizations. They seem to be under the mistaken impression that they are no longer allowed to process personal data without asking consent for everything they do. Recently, the Greek Data Protection Authority issued a 150,000 euro fine against PricewaterhouseCoopers for the wrongful use of consent as a legal basis for processing its employees’ personal data. Under the GDPR, consent shoul... Read More

In life sciences research, 'informed consent' isn't enough

The recently issued European Data Protection Board Opinion 3/2019 stipulates that “informed consent” from clinical trial participants for life science research purposes typically does not satisfy requirements for consent as a legal basis for processing personal data under the EU General Data Protection Regulation. There has been strong disappointment voiced within the life sciences community by those who believe that “informed consent” necessary to comply with EU member state clinical trial laws... Read More

Practical tips for consent under the GDPR

The increased consent requirements under the GDPR have been a hot topic lately, due to the Article 29 Working Party’s recently issued draft guidelines on consent, and as 25 May approaches, questions about how to comply with these requirements are pouring in at OneTrust. In this exclusive for The Privacy Advisor, OneTrust’s Andrew Clearwater, CIPP/US, and Brian Philbrook, CIPP/E, CIPP/US, CIPM, CIPT, FIP, provide some practical tips for data controllers on meeting the GDPR’s stringent consent req... Read More

Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence
(Aarhus University, Massachusetts Institute of Technology and University College, London, January 2020)
“(Un)informed Consent: Studying GDPR Consent Notices in the
Field”
(Ruhr-Universität Bochum, August 2019)
How to comply with the right to erasure (if you haven’t already!)
(IAPP, August 2018)
Are all these GDPR-consent emails even necessary?
(IAPP, May 2018)
View More Resources

Privacy Programs and Compliance

eBook – Top 10 operational responses to the GDPR

Published: March 2018 Click To Access In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Part 1: Data inventory and mappingBy Rita Heimes,... Read More

Top 10 operational impacts of the GDPR: Part 7 - Vendor Management

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Hands-On Guide to GDPR Compliance

Authors: Karen Lawrence Öqvist, Filip Johnssén Purchase Print Purchase Digital “There are six words in the General Data Protection Regulation (GDPR) which has triggered a paradigm shift in how privacy compliance is dealt with by EU organisations. The GDPR mandates that an organisation must practice ‘data protection by design, by default’. What this means is that every organisation must weave privacy-thinking into its DNA. Hence, the paradigm shift has expanded privacy compliance out of the l... Read More

White Paper – Timelines and budgets for GDPR compliance: A meta-analysis

(February 2019) – This white paper aggregates the results of 12 different surveys conducted between September 2016 and July 2018 on organizational GDPR-compliance efforts before and after the May 25, 2018, implementation deadline to gain the deepest insight possible into compliance efforts and costs at the organizational level on a global scale. This report presents the findings from that meta-analysis. Read More

Security and Breach Notifications

Implementing appropriate security under the GDPR

The EU General Data Protection is finally here, and things like data mapping, data protection impact assessment, consent management, and data subject rights have been on everyone’s minds leading up to its arrival. While these operational requirements are obvious for many companies, some others have flown under the radar. One in particular that we have received questions about from our customers at OneTrust is the requirement for appropriate security. Security of processing Security of processi... Read More

Understanding data processors’ ISO and SOC 2 credentials for GDPR compliance

The European Union General Data Protection Regulation puts significant new responsibilities and liabilities on data controllers regarding their use of third-party processors. Data controllers will face increased requirements to understand and contractually stipulate the policies and procedures of their processors in accordance with the GDPR. In an effort to simplify procurement and review, controllers and processors alike are likely to look towards existing privacy and security certifications as... Read More

White Paper – IAPP-OneTrust Research: Bridging ISO 27001 to GDPR

(March 2018) – The IAPP and OneTrust have undertaken the task of mapping the most common security operations standard, ISO’s 27001, to the world’s most influential piece of privacy legislation, the GDPR, so as to create a framework for understanding just how closely they align and how much of the work toward GDPR compliance that security has likely already done. With this research project, we have identified six main areas of common ground that should help every organization align their security and privacy operations in a way that will create efficiencies and, hopefully, reduce the risk of a damaging incident while increasing productivity and customer trust. Read More

Top 10 Operational Responses to the GDPR – Part 8: Data breach and the GDPR

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation.  This eighth installment in the 10-part series explores how the ... Read More

CNIL Guide – Security of Personal Data

In this guide, France's data protection authority, the CNIL, lists basic precautions that should be implemented systematically throughout French organizations to best be prepared for GDPR and the security of their customers personal data. Click To View (PDF) ... Read More

View More Resources

The Making of the GDPR

A brief history of the General Data Protection Regulation (1981-2016)

Last Updated: February 2016 On 28 January 2016: The 47 countries of the Council of Europe as well as European institutions, agencies and bodies celebrated the 10th annual European Data Protection Day which marks the anniversary of the Council of Europe's Convention 108. The series of events dedicated to this anniversary included a conference co-hosted by the European Parliament and the European Data Protection Supervisor for EU officials on the EU data protection reform. On 21 December 2015:... Read More

Unravelling the Mysteries of the GDPR Trilogues

In recent days, "trilogue" seems to be the buzz word on everyone's lips, following the adoption by the Council of Ministers of the European Union of the General Data Protection Regulation (GDPR) in a first reading on 11 June. But what exactly is a "trilogue"? What is the meaning of this obscure concept that only exists under European Union law? Following my previous article on the EU's ordinary legislative procedure, I will try through this article to unravel the mysteries of the trilogue by exp... Read More