GDPR FAQ & Resources
What is the GDPR?
The General Data Protection Regulation (EU) 2016/680, or GDPR, is a European Union regulation governing the data privacy of individuals in the EU. The regulation came into full effect in May, 2018, superceding the Data Protection Directive 95/46/EC. The GDPR chiefly regulates the personal data processing practices of organizations established in EU member states. It also applies to certain organizations established entirely outside the EU, including in the United States, pursuant to Article 3 (2) of GDPR:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
How does the GDPR relate to Privacy Shield?
The Privacy Shield Framework is an arrangement for transatlantic data flows that enables U.S. businesses to comply with EU and Swiss data privacy requirements when processing personal data originating in Europe. Privacy Shield is a popular adequate transfer mechanism for U.S. companies receiving data from the EU and Switzerland, many of whom consider it an essential component of their data handling practices.
While Privacy Shield meets one of the key requirements of GDPR for companies transferring data to the U.S.—that they use an “adequate” data transfer mechanism for this purpose pursuant to Article 44—there are numerous other elements of GDPR that US companies should know about. Simply being compliant with the Privacy Shield does not mean that your company is fully compliant with GDPR. Many US companies will be complying with both in tandem.
While BBB EU Privacy Shield does not provide specific GDPR guidance or compliance services, we do receive many requests for GDPR information. We are providing this page as a compilation of resources for companies seeking information on a range of GDPR-related topics. The Data Protection Authorities in each EU Member State and their advisory body, the European Data Protection Board (formerly known as the Article 29 Working Party) routinely issue guidance about their interpretations of the GDPR. Various law firms, trade associations, and other entities in the EU and the U.S. also publish guidance and analysis of the new law.
The list of online resources below will be updated regularly as more information and guidance is released.
PLEASE NOTE: The information and guidance referenced on this page are those of the parties providing them, are general in nature and should not be considered to be legal or professional advice. For advice concerning the application of the GDPR to your specific business operations, you should consult with expert legal counsel familiar with your business.
This page was last updated on June 26, 2018.
The Regulation & Important Official Guidance
European Commission
2018 reform of EU data protection rules
Corrigendum – Update correcting and rectifying translation errors of the GDPR text.
European Data Protection Board (formerly Article 29 Working Party)
Guidelines:
Data Protection Impact Assessments
Identifying a Lead Supervisory Authority
Automated Individual Decision-Making and Profiling
Transparency (rev.01 updated April 2018)
Consent (rev.01 updated April 2018)
Territorial Scope of the GDPR (including guidance on the requirement to designate a representative)
Opinions:
For a full list of guidelines and opinions of the Article 29 Working Party, including those published before 2016, refer to the IAPP’s Resource Center.
General Analysis & Guidance by Topic
General GDPR Guidance
U.K. Information Commissioner’s Office: Guide to the General Data Protection Regulation (also see the ICO’s detailed guidance on What is personal data?)
IAPP: GDPR Resources
IAPP: A Brief History of the GDPR
IAPP: GDPR Implementation Tracker
IAPP: The GDPR and You
Future of Privacy Forum: GDPR Guidance
ICSA - The Governance Institute: EU General Data Protection Regulation Resource Page
White & Case: GDPR Handbook: Unlocking the EU General Data Protection Regulation
Linklaters: Guide to the General Data Protection Regulation
Baker McKenzie: GDPR in 13 Game Changers
Individual Rights
U.K. Information Commissioner’s Office: Individual Rights
IAPP Design Prototypes: Design prototypes for implementing individual rights under GDPR
Lexology: GDPR Series: Part 10 - The Rights of Data Subjects
White & Case: Unlocking the EU General Data Protection Regulation – Rights of data subjects
IAPP: Top 10 Operational Responses to the GDPR - Part 7: Accommodating data subjects’ rights
1. The right to be informed
U.K. Information Commissioner’s Office: The right to be informed (also see the ICO’s detailed guidance on this right)
2. The right of access
U.K. Information Commissioner’s Office: Right of access
IAPP: The Privacy Advisor - Under the GDPR, subject-access requests will change for controllers
3. The right to rectification (or, to have information corrected)
U.K. Information Commissioner’s Office: Right to rectification
4. The right to erasure (or, the right to be forgotten)
U.K. Information Commissioner’s Office: Right to erasure
5. The right to restrict processing
U.K. Information Commissioner’s Office: Right to restrict processing
6. The right to data portability
U.K. Information Commissioner’s Office: Right to data portability
Article 29 Working Party: Right to Data Portability
IAPP: Top 10 Operational Impacts of the GDPR Part 6 – RTBF and data portability
Lexology: Data Portability
7. The right to object
U.K. Information Commissioner’s Office: Right to object
8. Rights related to automated decision-making and profiling
U.K. Information Commissioner’s Office: Rights related to automated decision making including profiling (also see the ICO’s detailed guidance on these rights)
Article 29 Working Party: Automated Individual Decision-Making and Profiling
IAPP: Top 10 Operational Impacts of the GDPR Part 5 – Profiling
Brodies: Profiling and automated decision making under the GDPR
9. The right to be notified
U.K. Information Commissioner’s Office: Personal data breaches
Article 29 Working Party: Personal Data Breach Notification
Implementing GDPR Compliance
U.K. Information Commissioner’s Office: Preparing for the GDPR
Irish Data Protection Commission: The GDPR and You
Lexology: GDPR Series: Part 4 - Practical Guidance on the GDPR
White & Case: Unlocking the EU General Data Protection Regulation – Preparing for the GDPR
IAPP: The Privacy Advisor - Will the GDPR impact you? 4 hypothetical scenarios to help you understand
IAPP: Top 10 Operational Responses to the GDPR – Part 1: Data Inventory and Mapping and Part 3: Build and maintain a data governance system
Transfer of Data
European Commission: Data transfers outside the EU
U.K. Information Commissioner’s Office: International Transfers
White & Case: Unlocking the EU General Data Protection Regulation – Cross-Border Data Transfers
IAPP: Top 10 Operational Impacts of the GDPR: Part 4 – Cross-border data transfers
Bryan Cave: Cross Border Transfers of Information
Pseudonymization
IAPP: Top 10 Operational Impacts of the GDPR: Part 8 - Pseudonymization
IAPP’s The Privacy Advisor: Primer on anonymization and pseudonymisation
PriceWaterHouseCoopers: Anonymisation and pseudonymization
Data protection by design
U.K. Information Commissioner’s Office: Data protection by design and default
European Data Protection Supervisor: Implementation of Data Protection by Design and by Default
FieldFisher: Getting to know the GDPR - Designing for compliance
IAPP: Top 10 Operational Responses to the GDPR – Part 4: Data protection impact assessments and data protection by default and by design
Data Retention
Sidley Austin: The impact of the GDPR on the retention of personal data
IAPP: Top 10 Operational Responses to the GDPR – Part 5: Preparing and implementing data-retention and record-keeping policies and systems
Documentation & Record Keeping
Lexology: GDPR Series: Part 13 - Recordkeeping Obligation
Field Fisher translation of the Belgian DPA guidance: Belgian DPA’s Guidance on Record Keeping under the GDPR
Squire Patton Boggs: Maintaining a Record of Data Processing Activities under the GDPR
Accountability and Governance
Controllers, Processors, and Scope
EDPB: Guidelines 3/2018 on the Territorial Scope of the GDPR
Lexology: GDPR Series: Part 1 - Material and Territorial Scope
Lexology: GDPR Series: Part 2 - The GDPR’s main players
IAPP’s The Privacy Advisor: What does territorial scope mean under the GDPR?
White & Case: Unlocking the EU General Data Protection Regulation – Subject matter and scope
White & Case: Unlocking the EU General Data Protection Regulation - Territorial application
Data Protection Officer (DPO)
Article 29 Working Party: Data Protection Officers
European Data Protection Supervisor: Data Protection Officer (DPO)
Irish Data Protection Commission: Guidance on appropriate qualifications for a DPO
Spanish Data Protection Agency: Certification Scheme of DPOs
DPO Network Europe: FAQs about the appointment of data protection officers
Lexology: GDPR Series: Part 3 - Appointment and Role of the Data Protection Officer
IAPP: The IAPP’s DPO Toolkit
IAPP: Top 10 Operational Impacts of the GDPR: Part 2 – The mandatory DPO
IAPP: From Here to DPO: Building a Data Protection Officer
IAPP: How to contract with your outsourced DPO
Designation of a Representative in the EU
EDPB: Guidelines 3/2018 on the Territorial Scope of the GDPR
Lexology: GDPR: Why U.S. Companies Should Care
Lexology: Does the GDPR Apply to Your U.S.-based Company?
IAPP’s The Privacy Advisor: How do the DPO and EU Representative Interplay?
IAPP: Representatives under Art. 27 of the GDPR: All your questions answered
Lead supervisory authority & One-Stop Shop
Article 29 Working Party: Lead Supervisory Authority
White & Case: Unlocking the EU General Data Protection Regulation – Data Protection Authorities
White & Case: Unlocking the EU General Data Protection Regulation – Cooperation and consistency
White & Case: Unlocking the EU General Data Protection Regulation – Issues subject to national law
Lexology: GDPR Series: Part 8 – Leeway Granted to Member State National and Supervisory Authorities
IAPP: Top 10 Operational Responses to the GDPR – Part 10: Communicating with supervisory authorities
Constructing Your Privacy Notice
U.K. Information Commissioner’s Office: Privacy Notice Checklist
Data & Marketing Association: How to Construct Your Privacy Policy
Lexology: GDPR Series: Part 9 - Information to be Provided to Data Subjects
Lexology: Time to Update Your Privacy Statement for GDPR
Lexology: GDPR in Context: Transparency Requirements - Privacy Statements
IAPP: Top 10 Operational Responses to the GDPR – Part 6: Transparency and privacy notices
Contracts & Vendor Management
Lexology: GDPR Series: Part 11 - Data Processing Agreements
IAPP: Top 10 Operational Impacts of the GDPR: Part 7 – Vendor Management
IAPP: Top 10 Operational Responses to the GDPR – Part 9: Vetting and contracting with processors
IAPP’s The Privacy Advisor: Updating your vendor agreements to comply with GDPR
IAPP’s The Privacy Advisor: A strategic approach to vendor-management under the GDPR
Mayer Brown: GDPR Checklist for Third Party Agreements
Womble Carlyle: Do Your Vendor Contracts comply with GDPR?
Data Protection Impact Assessments (DPIAs)
Article 29 Working Party: Data Protection Impact Assessments
U.K. Information Commissioner’s Office: Data Protection Impact Assessments (also see the ICO’s detailed guidance on DPIAs)
Irish Data Protection Commission: Irish DPC Data Protection Impact Assessment guidance
IAPP: Top 10 Operational Responses to the GDPR – Part 4: Data protection impact assessments and data protection by default and by design
Codes of Conduct & Certifications
IAPP: Top 10 Operational Impacts of the GDPR: Part 9 – Codes of conduct and certifications
White & Case: Unlocking the EU General Data Protection Regulation – Codes of Conduct
Cybersecurity & Breach Notification
Article 29 Working Party: Personal Data Breach Notification
U.K. Information Commissioner’s Office: Personal data breaches
Lexology: GDPR Series: Part 12 - Security of Personal Data and Data Breaches
IAPP: Top 10 Operational Impacts of the GDPR: Part 1 – Data security and breach notification
IAPP: GDPR vs U.S. State Data Breach Laws
IAPP: Top 10 Operational Responses to the GDPR – Part 8: Data breach and the GDPR
Violations & Consequences
IAPP: Top 10 Operational Impacts of the GDPR: Part 10 – Consequences for GDPR Violations
Lexology: GDPR – Sanctions for non-compliance
Lawful Bases for Processing Personal Data
EU Commission: Legal grounds for processing data
Article 29 Working Party: Opinion on Data Processing At Work
U.K. Information Commissioner’s Office: Lawful basis interactive guidance tool and presentation for organizations
Lexology: GDPR Series: Part 5 - Data Processing Principles
Lexology: GDPR Series: Part 6 - Legal Grounds for Processing
White & Case: Unlocking the EU General Data Protection Regulation – Lawful basis for processing
IAPP: Top 10 Operational Responses to the GDPR – Part 2: Lawful bases for processing
Consent:
U.K. Information Commissioner’s Office: Detailed guidance on consent and consent presentation for organizations
IAPP: Top 10 Operational Impacts of the GDPR: Part 3 - Consent
IAPP: The UX Guide to Getting Consent
PageFair: GDPR consent design: How granular must adtech opt-ins be?
Hunton & Williams LLP’s Centre for Information Policy Leadership: Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR
Lexology: GDPR Series Part 7: Consent
White & Case: Unlocking the EU General Data Protection Regulation – Consent
Legitimate Interests:
Center for Information Policy Leadership: Examples of Legitimate Interest Grounds for Processing of Personal Data
U.K. Information Commissioner’s Office: Legitimate interests presentation for organizations
Bird & Bird: Guide to the GDPR: Legitimate Interests
Slaughter and May: Processing of personal data: Consent and legitimate interests under the GDPR
The Data Protection Network: Guidance on the Use of Legitimate Interests under the EU General Data Protection Regulation
Data with Additional Protections
Sensitive Data:
Lexology: GDPR Series: Part 15 - Sensitive Data
U.K. Information Commissioner’s Office: Special category data
Children’s Personal Data:
ICO’s detailed guidance on children and the GDPR
IAPP: GDPR Matchup: The Children’s Online Privacy Protection Act
BBB National Programs: Children’s Advertising Review Unit (CARU) – COPPA Safe Harbor Program
GDPR Commentary & Legal Analysis
Baker McKenzie - b:Inform blog: http://www.bakerinform.com/
Hunton & Williams - Privacy & Info Security Law Blog: https://www.huntonprivacyblog.com/
Covington & Burling - Inside Privacy: https://www.insideprivacy.com/
Alston & Bird - Privacy & Data Security Blog: http://www.alstonprivacy.com/
Mintz Levin - Privacy & Security Matters: https://www.privacyandsecuritymatters.com/
FieldFisher - Privacy Law Blog: http://privacylawblog.fieldfisher.com/
PriceWaterHouseCoopers: https://www.pwc.com/us/en/cybersecurity/general-data-protection-regulation.html
Womble Bond Dickinson: https://www.womblebonddickinson.com/us/insights/alerts/gdpr-compliance-task-force