Happy New Year! With 2018 off to a rapid start, companies now have fewer than five months to become GDPR-compliant.
Although the basic principles and obligations enshrined in the GDPR are not new, the GDPR contains a complex, interlinked series of requirements whose practical application to real world situations is often very unclear. The Article 29 Working Party, a body consisting of EU national data protection authorities, has issued several important opinions and guidelines intended to help data controllers and processors interpret the new rules. These guidelines, while not legally binding, are influential and are likely to be given considerable weight by reviewing courts.
We have provided the links to the most important publications below for ease of reference:
- Draft Guidelines on Consent under Regulation 2016/679 (consultation closes on 23 January 2018)
- Draft Guidelines on Transparency under Regulation 2016/679 (consultation closes on 23 January 2018)
- Adopted Guidelines on personal data breach notification under Regulation 2016/679
- Adopted Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679
- Adopted Guidelines on the right to “data portability”
- Adopted Guidelines on Data Protection Impact Assessment (DPIA) and determining whether Processing is “likely to result in a high risk” for the purposes of Regulation 2016/679
- Adopted Guidelines on Data Protection Officers (“DPOs”)
- Adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679
- Adopted Guidelines for identifying a controller or processor’s lead supervisory authority
- Opinion 2/2017 on data processing at work
- Opinion 01/2017 on Proposed Regulation for the ePrivacy Regulation
In the UK, which will apply the GDPR prior to and for some time after Brexit, there is currently a draft Data Protection Bill making its way through British Parliament. If adopted in its current form, the Bill will serve to implement the GDPR, including various derogations. For UK based companies, it may also be helpful to consider the following guidelines published by the UK Information Commissioner’s Office (ICO):
- Self-assessment GDPR checklist for controllers and processors
- Guide to the GDPR
- Preparing for the GDPR: 12 steps to take now
- Children and the GDPR guidance (Draft/consultation closes on 28 February 2018)
- ICO’s GDPR related blog
National data protection authorities in other countries may also publish helpful GDPR related checklists or country-specific guidance. The Data Privacy & Cybersecurity team at Squire Patton Boggs has substantial experience counselling clients on how to prepare for and comply with the GDPR in the most practical ways.
If your company has been putting off the inevitable, we can help you identify the highest regulatory risks in order to prioritise the GDPR action steps that can and should be achieved by the end of May 2018.
Please feel free to contact one of our team members if you would like a free half-hour consultation with one of our GDPR experts to discuss how we can support your GDPR compliance initiative.