EU General Data Protection Regulation

In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation, first proposed in 2012, and as of May 25, 2018, it is in effect.

The GDPR offers a framework for data protection with increased obligations for organizations, and its reach is far and wide. It is applicable to any organization — no matter where it resides — that intentionally offers goods or services to the European Union, or that monitors the behavior of individuals within the EU.

This topic page is regularly updated with relevant documents and expert analysis to help organizations determine how the GDPR affects them.

Subscribe to the IAPP Europe Data Protection Digest e-newsletter!
Be in-the-know on EU privacy news (think the GDPR, Privacy Shield, and the PNR Directive, to name a few) by subscribing to the Europe Data Protection Digest e-newsletter.

Featured Resources Latest News and Resources Law and Official Guidance Data Protection Impact Assessments Data Transfers, Processing and Retention DPOs and EU Representatives Enforcement and Complaints Implementation, derogations and territorial scope Individuals' rights and Consent Privacy Programs and Compliance Security and Breach Notifications The Making of the GDPR

Featured Resources

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more.
Read More

Practical considerations from EU enforcement

This article breaks down the key practical takeaways and things to look out for on the EU General Data Protection Regulation’s legal bases and transparency requirements.
Read More

Refresher: The GDPR’s Six Legal Bases for Data Processing

This chart provides a refresher on the six bases for lawful processing under Article 6 of the EU General Data Protection Regulation. The chart explains the scope of the Article 6 lawful bases for processing, further considerations for determining when each applies, relevant recitals, additional IAPP guidance and resources from supervisory authorities.
Read More

Latest News and Resources

Practical considerations from EU enforcement: One-stop shop

This article breaks down the key practical takeaways and things to look out for on the EU General Data Protection Regulation’s one-stop shop mechanisms. Read More

Save This

Using sensitive data to prevent AI discrimination: Does the EU GDPR need a new exception?

Organizations can use artificial intelligence to make decisions about people for a variety of reasons, such as selecting the best candidates from many job applications. However, AI systems can have discriminatory effects when used for decision making. For example, an AI system could reject applications of people with a certain ethnicity, even though the organization did not plan such discrimination. In Europe, an organization can run into a problem when assessing whether its AI system accidenta... Read More

Save This

Breaking down enforcement of Meta’s legal basis for personalized ads

Last week, Ireland's Data Protection Commission fined Meta 390 million euros — 210 million euros against Facebook and 180 million euros against Instagram. In its decision, the DPC announced the platforms’ basis for seeking user permission to collect data for personalized advertising is invalid and gave the company three months to bring data processing operations into compliance with the EU General Data Protection Regulation. Notably, the decision that Meta’s contract-based request for personali... Read More

Save This

Meta's EU data transfer case faces Article 65 dispute resolution mechanism

The fate of Meta's data transfers to the U.S. could hinge on an Article 65 dispute resolution mechanism in the EU, after Ireland's Data Protection Commission was unable to resolve objections from other EU data protection authorities to its draft enforcement decision. Politico reporter Vincent Manancourt originally broke the news, which was then confirmed by the DPC in an email to The Privacy Advisor. "We haven't been able to resolve the objections raised on our draft decision and have to trigg... Read More

Save This

Are EU AI Act sandboxes viable without GDPR waivers for experimentation?

The proposed EU Artificial Intelligence Act is anticipated to pave the way for a regulated approach to the future development of artificial intelligence. One means of testing new AI technologies is through regulatory sandboxes created by various data protection authorities around Europe. To explore how AI regulatory sandboxes are helping companies develop their machine-learning models, IAPP Managing Director, Europe, Isabelle Roccia hosted a Linkedin Live session Dec. 12 with Secure Practice co... Read More

Save This

	FPF: Regulatory Strategies of European Data Protection Authorities (Future of Privacy Forum, February 2023)
	Web Conference: How to Gear Your Privacy Team Up for the FTC’s Priorities and GDPR Developments (IAPP, September 2022)
	UK DPDI Bill: Comparative analysis with the EU GDPR and ePrivacy framework (IAPP, July 2022)
	Proposed EU AI Act blurs lines between AI developers and data processors under GDPR (IAPP, July 2022)
	Sanctions under EU GDPR and recent data regulations: A case of double jeopardy? (IAPP, July 2022)
	Record of processing activities — Are you ready for maturity? (IAPP, June 2022)
	A look behind the EDPB’s move to enhance enforcement cooperation (IAPP, May 2022)
	Consent as legal basis for EU and UK employment (IAPP, May 2022)
	CJEU ruling on GDPR litigation builds ‘jurisprudence on data protection’ (IAPP, May 2022)
	ICO GDPR Guidance: Special Category Data (UK ICO, April 2022)
	GDPR’s One-Stop-Shop Cross-Border Complaint Statistics (2018-2021) (Irish DPC, March 2022)
	Dodging the one-stop shop (IAPP, February 2022)
	A survey of the impact of GDPR and its effect on organisations in Ireland (Mazars and McCann Fitzgerald, January 2022)
	CNIL – GDPR Guide for Developers (CNIL, December 2021)
	How GDPR Affected Procurement Function and Practitioners (Dr. Taoufik Samaka, November 2021)
	Would anyone in their right mind reopen the GDPR? The IAF’s answer is yes. (IAPP, August 2021)
	Web Conference: #MeToo vs. GDPR: Investigating Sexual Misconduct by EU Employees (IAPP, July 2021)
	Web Conference: Code of Conduct Under GDPR: Alignment, Interoperability and Potentials (IAPP, June 2021)
	LinkedIn Live: ‘The GDPR at 3: The Law’s Tangible Impacts Around the Globe’ (IAPP, June 2021)
	GDPR at Three (IAPP, May 2021)
	3 years in, GDPR highlights privacy in global landscape (IAPP, May 2021)
	GDPR basics: DPOs explained for digital health companies (Chini.io, May 2021)
	GDPR for Marketing: 2021 Guide (Super Office, May 2021)
	Federal Constitutional Court: CJEU must clarify whether GDPR provides materiality threshold (IAPP, February 2021)
	DLA Piper GDPR Data Breach Survey 2021 (DLA Piper, January 2021)
	Encrypt your data to make GDPR and Russian Data Localization Law compatible (IAPP, December 2020)
	Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws (IAPP, September 2020)
	Privacy pros say GDPR dispute-resolution trigger ‘no surprise’ (IAPP, August 2020)
	Irish DPC: GDPR regulatory activities report (Irish DPC, June 2020)
	Bird & Bird Guide to the General Data Protection Regulation (Bird & Bird, May 2020)
	Web Conference: The Impact of CCPA and GDPR on Data Management (IAPP, May 2020)
	GDPR’s second anniversary: A cause for celebration — and concern (IAPP, May 2020)
	The GDPR at Two: Expert Perspectives (IAPP, May 2020)
	White Paper – DPAs on the Ground (IAPP, April 2020)
	How SaaS providers are preparing for GDPR (EnterpriseReady, March 2020)
	Why Blockchain is not inherently at odds with GDPR (Lokke Moerel and Marijn Storm, February 2020)
	What you must know about ‘third parties’ under GDPR and CCPA (IAPP, November 2019)
	Platform helps organizations take deep dives into GDPR, CCPA (IAPP, October 2019)
	How to ‘background check’ under the GDPR (IAPP, October 2019)
	GDPR and CCPA: A compatibility story (IAPP, October 2019)
	Guide for multi-controller situations under the GDPR (Gerrish Legal, September 2019)
	How pharmacists can comply with GDPR (The Pharmaceutical Journal, August 2019)
	The tension between GDPR and the rise of blockchain technologies (CMS, July 2019)
	Publicly available data under the GDPR: Main considerations (IAPP, May 2019)
	GDPR one year later: Looking backward and forward (IAPP, May 2019)
	White Paper – GDPR at One Year: What We Heard from Leading European Regulators (IAPP, May 2019)
	Want Europe to have the best AI? Reform the GDPR (IAPP, May 2019)
	GDPR – A new age for data protection (IAPP, May 2019)
	IBM White Paper: Blockchain and GDPR (IBM, May 2019)
	GDPR One Year Anniversary – Infographic (IAPP, May 2019)
	Web Conference: GDPR for Dummies — Lessons From the Last 12 Months (IAPP, May 2019)
	Global recall: How the GDPR impacts product recalls (IAPP, March 2019)
	Privacy professionals begin to look back at year one of the GDPR (IAPP, March 2019)
	Recap: EDPB’s first-year review of GDPR (IAPP, March 2019)
	Op-ed: Encrypted data may still be personal under GDPR (IAPP, March 2019)
	GDPR Enforcement Priorities (IAPP, April 2018)
	Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation (Data Protection Network, April 2018)
	The General Data Protection Regulation Matchup Series (IAPP, May 2017)
	GDPR Awareness Guide (IAPP, January 2017)

View More Resources

Law and Official Guidance

The EU General Data Protection Regulation

This HTML version of the full GDPR is provided by the IAPP and formatted with anchor links to easily link to specific articles and recitals in the law. Read More

Save This

Article 29 Working Party and European Data Protection Board Guidance

The Article 29 Working Party, a group including representatives from data protection authorities of all EU member states, published guidance to clarify certain provisions of the GDPR. With the enactment of the GDPR came a new advisory body, the European Data Protection Board, or EDPB, which has now replaced the WP29 in creating data protection guidance. Find all guidance from both bodies here.

All of the European Data Protection Board and Article 29 Working Party guidelines, opinions, and documents

From the European Data Protection Board (EDPB) Upon enactment of the EU General Data Protection Regulation, May 25, 2018, the European Data Protection Board replaced the WP29. EDPB General Guidance All EDPB Documents GDPR: Guidelines, Recommendations, Best Practices Public Consultations Consistency Findings Other documents From the Article 29 Data Protection Working Party The WP29 was an advisory body made up of representatives from the data protection authorities of each EU member stat... Read More

Save This

Data Protection Impact Assessments

EU Member State DPIA Whitelists, Blacklists and Guidance

Data protection authorities of many EU member states have published draft lists of data processing activities that would trigger the need for a data protection impact assessment in that country. The European Data Protection Board weighed in on the drafts, you can find its opinions here. And IAPP Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has written an analysis of the opinions here. IAPP extern Darya Balybina, CIPP/E, CIPP/US, CIPM has written an analysis, "What is and what isn't subject t... Read More

Save This

What's subject to a DPIA under the GDPR? EDPB on draft lists of 22 supervisory authorities

Under the European Data Protection Regulation, data protection impact assessments are required when data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Exactly what “high risk” entails, however, has been a difficult question to answer. Article 35.3 of the GDPR provides a non-exhaustive list of examples of data processing activities that require DPIAs. The Article 29 Working Party Guidelines on DPIAs also offer help in identifying when DPIAs are nec... Read More

Save This

How to approach DPIAs under the GDPR

The guiding principles of the EU General Data Protection Regulation stimulate organizations to address the issue of compliance with an approach based on continuous risk assessment. The most appropriate response to support the profound changes required by the GDPR is the implementation of a privacy management model (or privacy management system), adopted to guarantee the company is in compliance with voluntary certification schemes or compliance with mandatory regulations. One of the "engines" of... Read More

Save This

Web Conference: PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design

Original broadcast date: August 24, 2016 Join us in this virtual discussion as we walk you through the process of creating a PIA, and hear us tackle the critical questions including, when and why a PIA is a necessary and useful tool, how PIAs evolve over time, what templates should you use, or should you use a template at all, what resources are at your disposal, how to continue to benchmark and improve your PIA over time, and once you've completed a PIA, how do you share its value with upper management and others in the organization among others. Read More

Save This

Infographic: What triggers a DPIA under the GDPR?

Published: July 2018Click To View (PDF)Click To View (PNG) The IAPP has created this infographic to help you determine what kinds of activities are more likely to trigger a mandatory data protection impact assessment under the EU General Data Protection Regulation. Print it out for a quick reference when determining how to move forward with a business activity that involves personal information of individuals in the EU. ... Read More

Save This

	Interactive Advertising Bureau — GDPR Data Protection Impact Assessments for Digital Advertising under the GDPR (IAB Europe, November 2020)
	Data Protection Impact Assessment for Delivery of Online Assessments (Questionmark, June 2020)
	ICO: Sample DPIA Template (UK ICO, May 2018)
	How will the GDPR’s DPIA requirement affect you? (IAPP, November 2017)

View More Resources

Data Transfers, Processing and Retention

Proposed EU AI Act blurs lines between AI developers and data processors under GDPR

The proposed EU Artificial Intelligence Act and its intersections with the EU General Data Protection Regulation could present compliance issues for data compliance officers across the continent, according to IAPP Senior Westin Research Fellow Jetty Tielemans. The AI Act has some similarities with the Digital Services Act and the Digital Markets Act regarding how they clarify the GDPR, Tielemans said during a recent IAPP LinkedIn Live. However, she explained the AI Act differs in that "sensitiv... Read More

Save This

Record of processing activities — Are you ready for maturity?

Let’s be honest — back in 2018, when the EU General Data Protection Regulation was enforced in Europe, most companies were in a rush to comply by the due date. There were many reasons for that, typical of significant changes in laws and regulation: difficulties to convince senior executives of the importance early enough, time necessary to size and scope a program and obtain a decent budget, lack of internal skills and knowledge, and lack of clarity on the requirements. In a nutshell, organizati... Read More

Save This

CNIL publishes guidance on data processing roles under EU GDPR

France’s data protection authority, the Commission nationale de l'informatique et des libertés, published guidance on the identification of a “controller,” “subcontractor,” and “joint principal” under the EU General Data Protection Regulation. Each role influences “the nature and extent of their responsibilities” regarding data, the CNIL said, and each must be identified “as soon as possible.” The CNIL said the guidance includes details on legal criteria, qualifications to consider and more.Full... Read More

Save This

Filling in the blanks: What is the transfer of personal data and when will Chapter V obligations be applicable?

On Nov. 18, the European Data Protection Board adopted draft guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the EU General Data Protection Regulation. The draft guidelines are open to public consultation until the end of January. GDPR regulates transfers of data: But what is a transfer? Chapter V of the GDPR sets out rules for the transfer of personal data to third countries or international organizatio... Read More

Save This

Data Transfers from the EU: Will derogations save the day?

Original Broadcast Date: March 2021 In this Linkedin Live, IAPP Vice President and Chief Knowledge Officer Omer Tene and Bird & Bird International Privacy and Data Protection Group Co-head Ruth Boardman discuss the opportunities and challenges around Article 49 of the EU General Data Protection Regulation. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More

Save This

	ICO guidance: Lawful basis for processing under the GDPR (ICO, March 2022)
	The value of investing in well-constructed records of processing activities (IAPP, February 2021)
	How does GDPR apply to clinical trial sponsors outside EEA? Views of EEA DPAs (IAPP, January 2021)
	Stuck in the middle with you: When US discovery orders hit GDPR (IAPP, January 2021)
	Web Conference: The Right to be Forgotten: Managing GDPR Risk of Data Erasure for Businesses (IAPP, November 2020)
	Article 11 GDPR: Processing data that does not require identification and how it should not be interpreted (IAPP, October 2020)
	Web Conference: GDPR Data Subject Rights: Handling Requests From Third Party Platforms (IAPP, September 2020)
	EDPS: Flowcharts and Checklists on Data Protection (European Data Protection Supervisor, July 2020)
	EC calls for harmonization, addresses data transfers in GDPR review (IAPP, June 2020)
	Web Conference: Legitimate Interest Processing under the GDPR (IAPP, August 2019)
	DPO Report Template (IAPP, November 2018)
	How to draft a GDPR-compliant retention policy (IAPP, August 2018)
	Top 10 Operational Responses to the GDPR – Part 5: Preparing and implementing data-retention and record-keeping policies and systems (IAPP, February 2018)
	Processor compliance with the GDPR: A 101 (IAPP, January 2018)
	Top 10 operational impacts of the GDPR: Part 4 – Cross-border data transfers (IAPP, January 2016)

View More Resources

DPOs and EU Representatives

DPO Handbook: Data Protection Officers Under the GDPR, 2nd Edition

Author: Thomas Shaw, CIPP/E, CIPP/USPurchase PrintPurchase Digital DPO Handbook: Data Protection Officers Under the GDPR, Second Edition provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s new General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset. The book then describes in detail the vari... Read More

Save This

DPO Report Template

This slide deck created by the IAPP research team offers a customizable template for a report to organizational leadership to help Data Protection Officers show the activities of the data protection team as well as record compliance with the General Data Protection Regulation. Read More

Save This

GDPR Appointment of Data Protection Officer Letter

This toolkit from TermsFeed outlines whether organizations need to comply with the EU General Data Protection Regulation, especially regarding the appointment of a data protection officer. They explain the role of the DPO, how to determine whether you need one, and how to put together a compliant Appointment of Data Protection Officer Letter. Click To View ... Read More

Save This

How to Provide DPO Contact Information to Your DPA

Last Updated: April 2021 Article 37(7) of the EU General Data Protection Regulation requires that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” But how does one go about communicating this information to relevant authority? Is there a formal process, or can companies simply send an email with a DPO’s name, phone number and email address? As it turns out, different jurisdictions have settled... Read More

Save This

Does the recent fine for a Canadian website without an EU representative signal a change in GDPR enforcement priorities?

The role of representative under the EU General Data Protection Regulation remains one of the lesser-known obligations under the GDPR — it has been referred to as a "hidden obligation." The problem is this obligation applies to companies with no EU establishment, which likely refers to small and medium-sized business enterprises and companies that may still be in the early stages of growth. They are less likely to pay for a quality privacy consultant to inform them they need an EU representati... Read More

Save This

	GDPR representatives in EU and UK after Brexit (IAPP, February 2021)
	European Data Protection, Second Edition (IAPP)
	White Paper – The legal risks for the DPO (IAPP)
	From Here to DPO: Building a Data Protection Officer (IAPP)
	EU representative on ‘How to operationalize Article 27’ of the GDPR (IAPP, January 2020)
	DPO Competency Framework and Training Roadmap (IAPP, August 2019)
	GDPR year one: Three CPOs report back (IAPP, May 2019)
	Determining the reporting line of the DPO (IAPP, May 2018)
	Is Article 27 the GDPR’s ‘hidden obligation’? (IAPP, May 2018)
	Top 10 Operational Responses to the GDPR – Part 10: Communicating with supervisory authorities (IAPP, March 2018)
	How do the DPO and EU representative interplay? (IAPP, January 2018)
	Why should a data protection officer be global? (IAPP, January 2018)
	Outsourcing your DPO: real-life scenarios (IAPP, November 2017)
	How to contract with your outsourced DPO (IAPP, October 2017)
	FAQs About the Appointment of Data Protection Officers (DPO Network Europe, September 2017)
	Outsourcing your DPO: Questions to ask (IAPP, August 2017)
	What skills should your DPO absolutely have? (IAPP, January 2017)
	Top 10 operational impacts of the GDPR: Part 2 – The mandatory DPO (IAPP, January 2016)

View More Resources

Enforcement and Complaints

Top 10 operational impacts of the GDPR: Part 10 - Consequences for GDPR Violations

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-com... Read More

Save This

What the DPC-Meta decision tells us about the EU GDPR dispute resolution mechanism

Enforcement of the EU General Data Protection Regulation started with a bang Jan. 4 as Ireland's Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram. The decisions focused on Meta subsidiaries’ use of contract as a legal basis for its personalized advertising model and led to steep 390 million euro fines for the company’s household brands. You can take a look at the IAPP’s initial reporting and our refresher of the GDPR’s six legal bases for per... Read More

Save This

Breaking down enforcement of Meta’s legal basis for personalized ads

Save This

Irish DPC fines Meta 390M euros over legal basis for personalized ads

The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU. The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into complian... Read More

Save This

Sanctions under EU GDPR and recent data regulations: A case of double jeopardy?

The European Union is on the verge of adopting a series of regulations that will affect how data is collected and shared in the EU. These include the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Artificial Intelligence Act and the Data Act. These acts do not focus on personal data — in fact, European lawmakers continuously stress that the main aim of these acts is to regulate nonpersonal data. But these acts also do not exempt personal data from their scope of appl... Read More

Save This

	EDPB issues Article 65 decision on CNIL fine (IAPP, August 2022)
	10 years after: The EU’s ‘crunch time’ on GDPR enforcement (IAPP, June 2022)
	Authorities collaborate on EU GDPR investigation (IAPP, June 2022)
	A look behind the EDPB’s move to enhance enforcement cooperation (IAPP, May 2022)
	CJEU ruling on GDPR litigation builds ‘jurisprudence on data protection’ (IAPP, May 2022)
	GDPR’s One-Stop-Shop Cross-Border Complaint Statistics (2018-2021) (Irish DPC, March 2022)
	Dodging the one-stop shop (IAPP, February 2022)
	GDPR Complaint-Process Map (IAPP)
	CIPL Discussion Paper: GDPR Enforcement Cooperation and the One-Stop-Shop Learning from the First Three Years (CIPL, August 2021)
	A Guide to GDPR Compliant Call Recordings (Semafone, January 2021)
	Bloomberg Law: Lessons Learned from Key GDPR Enforcement Cases (Bloomberg Law, August 2020)
	What US companies can learn from GDPR enforcement (IAPP, June 2020)
	Legal analysts expect UK GDPR fines to be delayed again (IAPP, May 2020)
	The Privacy Advisor Podcast: GDPR-based class actions on the rise (IAPP, May 2020)
	GDPR ushers in civil litigation claims across the EU (IAPP, March 2020)
	Brave files GDPR complaint against Google (IAPP, March 2020)
	With hefty GDPR fines, a new industry emerges (IAPP, July 2019)
	Two major GDPR complaints: A close-up (IAPP, May 2019)
	Why you should pay close attention to the Polish DPA’s first GDPR fine (IAPP, April 2019)
	First GDPR fine in Portugal issued against hospital for three violations (IAPP, January 2019)
	What’s a GDPR complaint? No one really knows (IAPP, August 2018)
	Cease processing orders under GDPR: How the Irish DPA views enforcement (IAPP, August 2018)
	Is it possible to choose your lead supervisory authority under the GDPR? (IAPP, November 2017)

View More Resources

Implementation, derogations and territorial scope

Article 49 Derogations — Summary Table with Examples

There are specific recitals that relate to the derogations in Article 49, as well as detailed guidance from the EDPB. Before attempting to rely on the derogations, organizations need to be aware of these additional considerations. This table summarizes this material so readers can see at a glance the factors relevant for each derogation. Read More

Save This

GDPR Guide to National Implementation

White & Case has published this practical guide to national EU General Data Protection Regulation compliance requirements across the EU and EEA. Read More

Save This

Comparing the role of the DPO under the GDPR and Turkish law

Appointment of a data privacy officer is regulated in detail under the EU General Data Protection Regulation. Mandatory DPO appointment is imposed under certain circumstances, and legal requirements are determined for the DPO role in terms of qualification as well as authorization. Under the Law on Protection of Personal Data numbered 6698 in Turkey, there is no legal requirement to appoint a DPO for data controllers, but there is a role introduced for the purposes of fulfilling the data control... Read More

Save This

Data Transfers from the EU: Will derogations save the day?

Save This

White Paper – What the GDPR Requires of and Leaves to the Member States

(April 2018) – This IAPP white paper is divided broadly into two sections: The first explores the legislative actions that the GDPR requires member states to take, while the second examines the optional powers and authority available to them to carve out exceptions for or to clarify the GDPR’s rules. Read More

Save This

	GDPR in the eyes of the member states (IAPP, October 2019)
	Ukrainian GDPR: The reality and future of privacy legislation in Ukraine (IAPP, September 2020)
	GDPR implementation in Lithuania: Almost a year in review (IAPP, April 2019)
	Global Privacy Summit dispatch: How to leverage GDPR work for CCPA compliance (IAPP, May 2019)
	Czech Parliament approves bills implementing GDPR (IAPP, April 2019)
	EDPB’s common sense approach to the GDPR’s territorial scope (IAPP, November 2018)
	How does the law “Informatique et Libertés” apply to overseas? (CNIL, October 2018)
	Territorial scope of the GDPR from a US perspective (IAPP, June 2018)
	Derogations and special conditions (Bird & Bird, February 2018)
	What does territorial scope mean under the GDPR? (IAPP, January 2018)

View More Resources

Individuals' rights and Consent

White Paper – The UX Guide to Getting Consent

(December 2017) – The GDPR requires organizations to give notice to data subjects about how their data is being collected, used, shared and destroyed, but offers nothing in the way of how to do that. Create with Context and the IAPP built this handy guide to getting consent under the GDPR, combining a look into how users interact with the digital interfaces and an analysis of the text. Read More

Save This

Top 10 operational impacts of the GDPR: Part 3 – consent

Save This

Just say yes: GDPR consent is not as simple as it seems

The concept of consent as included in the EU General Data Protection Regulation seems to have stumped many organizations. They seem to be under the mistaken impression that they are no longer allowed to process personal data without asking consent for everything they do. Recently, the Greek Data Protection Authority issued a 150,000 euro fine against PricewaterhouseCoopers for the wrongful use of consent as a legal basis for processing its employees’ personal data. Under the GDPR, consent shoul... Read More

Save This

In life sciences research, 'informed consent' isn't enough

The recently issued European Data Protection Board Opinion 3/2019 stipulates that “informed consent” from clinical trial participants for life science research purposes typically does not satisfy requirements for consent as a legal basis for processing personal data under the EU General Data Protection Regulation. There has been strong disappointment voiced within the life sciences community by those who believe that “informed consent” necessary to comply with EU member state clinical trial laws... Read More

Save This

Practical tips for consent under the GDPR

The increased consent requirements under the GDPR have been a hot topic lately, due to the Article 29 Working Party’s recently issued draft guidelines on consent, and as 25 May approaches, questions about how to comply with these requirements are pouring in at OneTrust. In this exclusive for The Privacy Advisor, OneTrust’s Andrew Clearwater, CIPP/US, and Brian Philbrook, CIPP/E, CIPP/US, CIPM, CIPT, FIP, provide some practical tips for data controllers on meeting the GDPR’s stringent consent req... Read More

Save This

	Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence (Aarhus University, Massachusetts Institute of Technology and University College, London, January 2020)
	“(Un)informed Consent: Studying GDPR Consent Notices in the Field” (Ruhr-Universität Bochum, August 2019)
	How to comply with the right to erasure (if you haven’t already!) (IAPP, August 2018)
	Are all these GDPR-consent emails even necessary? (IAPP, May 2018)

View More Resources

Privacy Programs and Compliance

eBook – Top 10 operational responses to the GDPR

Published: March 2018Click To Access In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Part 1: Data inventory and mapping Part 2: Lawfu... Read More

Save This

eBook – The Top 10 Operational Impacts of the EU’s General Data Protection Regulation

(December 2016) – In this 10-part series, IAPP Research Director Rita Heimes, CIPP/US, and Westin Research Fellows Gabriel Maldoff, CIPP/US, and Anna Myers, CIPP/US, explore the major issues with which organizations will have to grapple as they bring themselves into compliance with the world’s most impactful privacy law. Read More

Save This

Web Conference: How to Gear Your Privacy Team Up for the FTC’s Priorities and GDPR Developments

Original broadcast date: 29 Sept. 2022 In this web conference, panelists discuss, both FTC rulemaking developments as well as EU General Data Protection Regulation enforcement trends and what they mean for businesses, what regulatory actions are on the table that could best jolt privacy operations and practical tips about how to prepare for a shifting landscape. Read More

Save This

Top 10 operational impacts of the GDPR: Part 7 - Vendor Management

Save This

Hands-On Guide to GDPR Compliance

Authors: Karen Lawrence Öqvist, Filip JohnssénPurchase PrintPurchase Digital “There are six words in the General Data Protection Regulation (GDPR) which has triggered a paradigm shift in how privacy compliance is dealt with by EU organisations. The GDPR mandates that an organisation must practice ‘data protection by design, by default’. What this means is that every organisation must weave privacy-thinking into its DNA. Hence, the paradigm shift has expanded privacy compliance out of the lega... Read More

Save This

	Web Conference: Taking your EU GDPR program across the pond (IAPP, January 2023)
	Automated decision-making under the GDPR: A comprehensive case-law analysis (Future of Privacy Forum, May 2022)
	Web Conference: Latest Research Findings on the State of CCPA & GDPR Privacy Rights Compliance (IAPP, April 2022)
	Privacy by design — GDPR’s sleeping giant (IAPP, June 2020)
	Baker McKenzie GDPR Survey: Benefits beyond compliance (Baker McKenzie, March 2020)
	Study: 10% of SMEs are GDPR compliant (IAPP, March 2020)
	GDPR compliance: Hits and misses (IAPP, May 2019)
	White Paper – Timelines and budgets for GDPR compliance: A meta-analysis (IAPP, February 2019)
	How to comply with both the GDPR and the CLOUD Act (IAPP, January 2019)
	Is your company subject to the GDPR? Consider these 5 factors (IAPP, January 2019)
	EU GDPR Compliance Criteria Chart (Secure Controls Framework, January 2019)
	Should vendors be able to pass along costs of GDPR compliance? (IAPP, August 2018)
	Applying the Positive-Sum Principle for Successful Privacy by Design Outcomes (IAPP, May 2018)
	Sample Data Processing Agreement (IAPP, March 2018)
	Check or Mate? Strategic Privacy by Design (IAPP, October 2017)
	A strategic approach to vendor-management under the GDPR (IAPP, February 2017)
	PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design (IAPP, October 2016)

View More Resources

Security and Breach Notifications

Is the EDPB’s ‘targeted update’ to data breach reporting guidance a ‘mini-budget’ moment for GDPR regulation?

You would have had to be living under a rock to have missed all the political turmoil in the U.K. over the past few weeks concerning the U.K. government’s “mini-budget.” In essence, even the staunchest government allies now accept it was a mistake to make changes to the U.K. tax system without fully thinking through the consequences of those changes, resulting in the need to make a series of embarrassing political U-turns. The government’s ill-advised changes should be a cautionary tale for the... Read More

Save This

DLA Piper GDPR Data Breach Survey 2022

This report from DLA Piper takes a closer look at the number of breaches notified to regulators and the first fines issued under the new GDPR regime for the period from January 28, 2020, to January 27, 2021 — international Data Protection Day. Read More

Save This

Implementing appropriate security under the GDPR

The EU General Data Protection is finally here, and things like data mapping, data protection impact assessment, consent management, and data subject rights have been on everyone’s minds leading up to its arrival. While these operational requirements are obvious for many companies, some others have flown under the radar. One in particular that we have received questions about from our customers at OneTrust is the requirement for appropriate security. Security of processing Security of processi... Read More

Save This

Understanding data processors’ ISO and SOC 2 credentials for GDPR compliance

The European Union General Data Protection Regulation puts significant new responsibilities and liabilities on data controllers regarding their use of third-party processors. Data controllers will face increased requirements to understand and contractually stipulate the policies and procedures of their processors in accordance with the GDPR. In an effort to simplify procurement and review, controllers and processors alike are likely to look towards existing privacy and security certifications as... Read More

Save This

White Paper – IAPP-OneTrust Research: Bridging ISO 27001 to GDPR

(March 2018) – The IAPP and OneTrust have undertaken the task of mapping the most common security operations standard, ISO’s 27001, to the world’s most influential piece of privacy legislation, the GDPR, so as to create a framework for understanding just how closely they align and how much of the work toward GDPR compliance that security has likely already done. With this research project, we have identified six main areas of common ground that should help every organization align their security and privacy operations in a way that will create efficiencies and, hopefully, reduce the risk of a damaging incident while increasing productivity and customer trust. Read More

Save This

	Top 10 Operational Responses to the GDPR – Part 8: Data breach and the GDPR (IAPP, March 2018)
	Technical Requirements of the GDPR (PrivacyCheq, January 2018)
	Comparing the Benefits of Pseudonymization and Anonymization Under the GDPR (Privacy Analytics, October 2017)

View More Resources

The Making of the GDPR

A brief history of the General Data Protection Regulation (1981-2016)

Last Updated: February 2016 On 28 January 2016: The 47 countries of the Council of Europe as well as European institutions, agencies and bodies celebrated the 10th annual European Data Protection Day which marks the anniversary of the Council of Europe's Convention 108. The series of events dedicated to this anniversary included a conference co-hosted by the European Parliament and the European Data Protection Supervisor for EU officials on the EU data protection reform. On 21 December 2015:... Read More

Save This

Unravelling the Mysteries of the GDPR Trilogues

In recent days, "trilogue" seems to be the buzz word on everyone's lips, following the adoption by the Council of Ministers of the European Union of the General Data Protection Regulation (GDPR) in a first reading on 11 June. But what exactly is a "trilogue"? What is the meaning of this obscure concept that only exists under European Union law? Following my previous article on the EU's ordinary legislative procedure, I will try through this article to unravel the mysteries of the trilogue by exp... Read More

Save This