What is the GDPR?

The General Data Protection Regulation (EU) 2016/680, or GDPR, is a European Union regulation governing the data privacy of individuals in the EU. The regulation came into full effect in May, 2018, superceding the Data Protection Directive 95/46/EC. The GDPR chiefly regulates the personal data processing practices of organizations established in EU member states. It also applies to certain organizations established entirely outside the EU, including in the United States, pursuant to Article 3 (2) of GDPR:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

 

How does the GDPR relate to Privacy Shield? 

The Privacy Shield Framework is an arrangement for transatlantic data flows that enables U.S. businesses to comply with EU and Swiss data privacy requirements when processing personal data originating in Europe.  Privacy Shield is a popular adequate transfer mechanism for U.S. companies receiving data from the EU and Switzerland, many of whom consider it an essential component of their data handling practices. 

While Privacy Shield meets one of the key requirements of GDPR for companies transferring data to the U.S.—that they use an “adequate” data transfer mechanism for this purpose pursuant to Article 44—there are numerous other elements of GDPR that US companies should know about.  Simply being compliant with the Privacy Shield does not mean that your company is fully compliant with GDPR.  Many US companies will be complying with both in tandem. 

While BBB EU Privacy Shield does not provide specific GDPR guidance or compliance services, we do receive many requests for GDPR information.  We are providing this page as a compilation of resources for companies seeking information on a range of GDPR-related topics.  The Data Protection Authorities in each EU Member State and their advisory body, the European Data Protection Board (formerly known as the Article 29 Working Party) routinely issue guidance about their interpretations of the GDPR.  Various law firms, trade associations, and other entities in the EU and the U.S. also publish guidance and analysis of the new law.    

The list of online resources below will be updated regularly as more information and guidance is released.

PLEASE NOTE: The information and guidance referenced on this page are those of the parties providing them, are general in nature and should not be considered to be legal or professional advice. For advice concerning the application of the GDPR to your specific business operations, you should consult with expert legal counsel familiar with your business.

This page was last updated on June 26, 2018.


The Regulation & Important Official Guidance

European Commission

Access Page

GDPR Full Text

2018 reform of EU data protection rules

Corrigendum – Update correcting and rectifying translation errors of the GDPR text.

European Data Protection Board (formerly Article 29 Working Party)

Guidelines:

Data Protection Impact Assessments

Data Protection Officer

Right to Data Portability

Identifying a Lead Supervisory Authority

Administrative Fines

Automated Individual Decision-Making and Profiling

Data Breach Notification

Transparency (rev.01 updated April 2018)

Consent (rev.01 updated April 2018)

Territorial Scope of the GDPR (including guidance on the requirement to designate a representative)

Opinions:

Data Processing At Work

Law Enforcement Directive

For a full list of guidelines and opinions of the Article 29 Working Party, including those published before 2016, refer to the IAPP’s Resource Center.


General Analysis & Guidance by Topic 

General GDPR Guidance

U.K. Information Commissioner’s Office:  Guide to the General Data Protection Regulation (also see the ICO’s detailed guidance on What is personal data?)

IAPP:  GDPR Resources

IAPP:  A Brief History of the GDPR

IAPP: GDPR Implementation Tracker

IAPP: The GDPR and You

Future of Privacy Forum:  GDPR Guidance

ICSA - The Governance Institute: EU General Data Protection Regulation Resource Page

White & Case:  GDPR Handbook: Unlocking the EU General Data Protection Regulation

Bird & Bird: Guide to the GDPR

Linklaters: Guide to the General Data Protection Regulation

Baker McKenzie: GDPR in 13 Game Changers

 

Individual Rights

U.K. Information Commissioner’s Office:  Individual Rights

IAPP Design Prototypes:  Design prototypes for implementing individual rights under GDPR

Lexology: GDPR Series: Part 10 - The Rights of Data Subjects

White & Case:  Unlocking the EU General Data Protection Regulation – Rights of data subjects

IAPP: Top 10 Operational Responses to the GDPR - Part 7: Accommodating data subjects’ rights

 

1.  The right to be informed 

U.K. Information Commissioner’s Office: The right to be informed  (also see the ICO’s detailed guidance on this right)

 

2.  The right of access 

U.K. Information Commissioner’s Office: Right of access

Irish Data Protection Commissioner: Access Rights and Responsibilities: A guide for Individuals and Organizations

Bird & Bird: Guide to the GDPR: Subject access, rectification and portability

IAPP: The Privacy Advisor - Under the GDPR, subject-access requests will change for controllers

 

3.  The right to rectification (or, to have information corrected) 

U.K. Information Commissioner’s Office: Right to rectification

Bird & Bird: Guide to the GDPR: Subject access, rectification and portability

 

4.  The right to erasure (or, the right to be forgotten)

U.K. Information Commissioner’s Office: Right to erasure

Bird & Bird: Right to erasure and right to restriction of processing

 

5.  The right to restrict processing

U.K. Information Commissioner’s Office: Right to restrict processing

Bird & Bird: Right to erasure and right to restriction of processing

 

6.  The right to data portability

U.K. Information Commissioner’s Office: Right to data portability

Article 29 Working Party: Right to Data Portability

Bird & Bird: Guide to the GDPR: Subject access, rectification and portability

IAPP:  Top 10 Operational Impacts of the GDPR  Part 6 – RTBF and data portability

Lexology: Data Portability

 

7.  The right to object 

U.K. Information Commissioner’s Office: Right to object

Bird & Bird: Rights to object

 

8.  Rights related to automated decision-making and profiling

U.K. Information Commissioner’s Office: Rights related to automated decision making including profiling (also see the ICO’s detailed guidance on these rights)

Article 29 Working Party: Automated Individual Decision-Making and Profiling

IAPP:  Top 10 Operational Impacts of the GDPR  Part 5 – Profiling

Brodies: Profiling and automated decision making under the GDPR

 

9.  The right to be notified 

U.K. Information Commissioner’s Office: Personal data breaches

Article 29 Working Party: Personal Data Breach Notification

 

Implementing GDPR Compliance

U.K. Information Commissioner’s Office:  Preparing for the GDPR

U.K. Information Commissioner’s Office:  Getting ready for the GDPR checklists

Irish Data Protection Commission: The GDPR and You

Cyber Counsel:  What is Personal Data under GDPR

Lexology: GDPR Series: Part 4 - Practical Guidance on the GDPR

White & Case:  Unlocking the EU General Data Protection Regulation – Preparing for the GDPR

IAPP: The Privacy Advisor - Will the GDPR impact you? 4 hypothetical scenarios to help you understand

IAPP: Top 10 Operational Responses to the GDPR – Part 1: Data Inventory and Mapping and Part 3: Build and maintain a data governance system

Hogan Lovells: Future-Proofing Privacy - A guide to complying with the EU Data Protection Regulation

 

    Transfer of Data

    European Commission: Data transfers outside the EU

    U.K. Information Commissioner’s Office: International Transfers

    White & Case:  Unlocking the EU General Data Protection Regulation – Cross-Border Data Transfers

    IAPP: Top 10 Operational Impacts of the GDPR: Part 4 – Cross-border data transfers

    Bryan Cave: Cross Border Transfers of Information

 

    Pseudonymization

    IAPP: Top 10 Operational Impacts of the GDPR: Part 8 - Pseudonymization

    IAPP’s The Privacy Advisor: Primer on anonymization and pseudonymisation

    PriceWaterHouseCoopers: Anonymisation and pseudonymization

 

    Data protection by design

    U.K. Information Commissioner’s Office:  Data protection by design and default

    European Data Protection Supervisor: Implementation of Data Protection by Design and by Default

    FieldFisher: Getting to know the GDPR - Designing for compliance

    IAPP: Top 10 Operational Responses to the GDPR – Part 4: Data protection impact assessments and data protection by default and by design

 

    Data Retention

    U.K. Bar Council, Information Technology Panel: Data Retention Guidance

    Sidley Austin: The impact of the GDPR on the retention of personal data

    IAPP: Top 10 Operational Responses to the GDPR – Part 5: Preparing and implementing data-retention and record-keeping policies and systems

 

    Documentation & Record Keeping

    Lexology: GDPR Series: Part 13 - Recordkeeping Obligation

    Field Fisher translation of the Belgian DPA guidance: Belgian DPA’s Guidance on Record Keeping under the GDPR

    Squire Patton Boggs: Maintaining a Record of Data Processing Activities under the GDPR

 

Accountability and Governance

    Controllers, Processors, and Scope

    EDPB: Guidelines 3/2018 on the Territorial Scope of the GDPR

    Lexology: GDPR Series: Part 1 - Material and Territorial Scope

    Lexology: GDPR Series: Part 2 - The GDPR’s main players

    Bird & Bird: Guide to the GDPR - Material and territorial scope

    IAPP’s The Privacy Advisor: What does territorial scope mean under the GDPR?

    White & Case:  Unlocking the EU General Data Protection Regulation – Subject  matter and scope

    White & Case:  Unlocking the EU General Data Protection Regulation - Territorial application

 

    Data Protection Officer (DPO)

    Article 29 Working Party: Data Protection Officers

    European Data Protection Supervisor:  Data Protection Officer (DPO)

    Irish Data Protection Commission: Guidance on appropriate qualifications for a DPO

    Spanish Data Protection Agency:  Certification Scheme of DPOs

    DPO Network Europe: FAQs about the appointment of data protection officers

    Lexology: GDPR Series: Part 3 - Appointment and Role of the Data Protection Officer

    IAPP:  The IAPP’s DPO Toolkit

    IAPP:  Top 10 Operational Impacts of the GDPR: Part 2 – The mandatory DPO

    IAPP: From Here to DPO: Building a Data Protection Officer

    IAPP: How to contract with your outsourced DPO

 

    Designation of a Representative in the EU

    EDPB: Guidelines 3/2018 on the Territorial Scope of the GDPR

    Lexology:  GDPR: Why U.S. Companies Should Care

    Lexology:  Does the GDPR Apply to Your U.S.-based Company?

    IAPP’s The Privacy Advisor:  How do the DPO and EU Representative Interplay?

    IAPP: Representatives under Art. 27 of the GDPR: All your questions answered

 

    Lead supervisory authority & One-Stop Shop

    Article 29 Working Party: Lead Supervisory Authority

    White & Case:  Unlocking the EU General Data Protection Regulation – Data Protection Authorities

    White & Case:  Unlocking the EU General Data Protection Regulation – Cooperation and consistency

    White & Case:  Unlocking the EU General Data Protection Regulation – Issues subject to national law

    Lexology: GDPR Series: Part 8 – Leeway Granted to Member State National and Supervisory Authorities

    IAPP: Top 10 Operational Responses to the GDPR – Part 10: Communicating with supervisory authorities

 

    Constructing Your Privacy Notice

    U.K. Information Commissioner’s Office: Privacy Notice Checklist

    Data & Marketing Association:  How to Construct Your Privacy Policy

    Lexology: GDPR Series: Part 9 - Information to be Provided to Data Subjects

    Lexology: Time to Update Your Privacy Statement for GDPR

    Lexology: GDPR in Context: Transparency Requirements - Privacy Statements   

    IAPP: Top 10 Operational Responses to the GDPR – Part 6: Transparency and privacy notices

 

    Contracts & Vendor Management

    U.K. Information Commissioner’s Office: Consultation on GDPR guidance on contracts and liabilities between controllers and processors

    Lexology: GDPR Series: Part 11 - Data Processing Agreements

    IAPP:  Top 10 Operational Impacts of the GDPR: Part 7 – Vendor Management

    IAPP: Top 10 Operational Responses to the GDPR – Part 9: Vetting and contracting with processors

    IAPP’s The Privacy Advisor: Updating your vendor agreements to comply with GDPR

    IAPP’s The Privacy Advisor: A strategic approach to vendor-management under the GDPR

    Mayer Brown: GDPR Checklist for Third Party Agreements

    Womble Carlyle: Do Your Vendor Contracts comply with GDPR?

 

    Data Protection Impact Assessments (DPIAs)

    Article 29 Working Party: Data Protection Impact Assessments

    U.K. Information Commissioner’s Office: Data Protection Impact Assessments (also see the ICO’s detailed guidance on DPIAs)

    Irish Data Protection Commission: Irish DPC Data Protection Impact Assessment guidance

    IAPP: Top 10 Operational Responses to the GDPR – Part 4: Data protection impact assessments and data protection by default and by design

 

    Codes of Conduct & Certifications

    IAPP:  Top 10 Operational Impacts of the GDPR: Part 9 – Codes of conduct and certifications

    White & Case:  Unlocking the EU General Data Protection Regulation – Codes of Conduct

 

    Cybersecurity & Breach Notification

    Article 29 Working Party: Personal Data Breach Notification

    U.K. Information Commissioner’s Office: Personal data breaches

    Lexology: GDPR Series: Part 12 - Security of Personal Data and Data Breaches

    BBB:  BBB Cybersecurity – 5 Steps to Better Business Cybersecurity

    IAPP: Top 10 Operational Impacts of the GDPR: Part 1 – Data security and breach notification

    IAPP: GDPR vs U.S. State Data Breach Laws

    IAPP: Top 10 Operational Responses to the GDPR – Part 8: Data breach and the GDPR

 

    Violations & Consequences

    IAPP: Top 10 Operational Impacts of the GDPR: Part 10 – Consequences for GDPR Violations

    Lexology: GDPR – Sanctions for non-compliance

 

Lawful Bases for Processing Personal Data
EU Commission: Legal grounds for processing data

Article 29 Working Party: Opinion on Data Processing At Work

U.K. Information Commissioner’s Office: Lawful basis interactive guidance tool and presentation for organizations

Lexology: GDPR Series: Part 5 - Data Processing Principles

Lexology: GDPR Series: Part 6 - Legal Grounds for Processing

White & Case:  Unlocking the EU General Data Protection Regulation – Lawful basis for processing

IAPP: Top 10 Operational Responses to the GDPR – Part 2: Lawful bases for processing

 

    Consent:

    U.K. Information Commissioner’s Office: Detailed guidance on consent and consent presentation for organizations

    IAPP: Top 10 Operational Impacts of the GDPR: Part 3 - Consent

    IAPP: The UX Guide to Getting Consent

    PageFair: GDPR consent design: How granular must adtech opt-ins be?

    Hunton & Williams LLP’s Centre for Information Policy Leadership: Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR

    Lexology: GDPR Series Part 7: Consent

    White & Case:  Unlocking the EU General Data Protection Regulation – Consent

 

    Legitimate Interests:

    Center for Information Policy Leadership: Examples of Legitimate Interest Grounds for Processing of Personal Data

    U.K. Information Commissioner’s Office: Legitimate interests presentation for organizations

    Bird & Bird: Guide to the GDPR: Legitimate Interests

    Slaughter and May: Processing of personal data: Consent and legitimate interests under the GDPR
    The Data Protection Network: Guidance on the Use of Legitimate Interests under the EU General Data Protection Regulation

 

Data with Additional Protections

    Sensitive Data:

     Lexology: GDPR Series: Part 15 - Sensitive Data

     U.K. Information Commissioner’s Office: Special category data

     Bird & Bird: Guide to the GDPR – Sensitive data and lawful processing

 

    Children’s Personal Data:

    U.K. Information Commissioner’s Office: Children (also see the ICO’s detailed guidance on children and the GDPR)

    Bird & Bird: Guide to the GDPR - Children

    IAPP:  GDPR Matchup: The Children’s Online Privacy Protection Act

    BBB:  Children’s Advertising Review Unit (CARU) – COPPA Safe Harbor Program


GDPR Commentary & Legal Analysis

Bird & Bird: https://www.twobirds.com/en/hot-topics/general-data-protection-regulation  

Baker McKenzie - b:Inform blog: http://www.bakerinform.com/

Hunton & Williams - Privacy & Info Security Law Blog: https://www.huntonprivacyblog.com/  

Covington & Burling - Inside Privacy: https://www.insideprivacy.com/  

Alston & Bird - Privacy & Data Security Blog: http://www.alstonprivacy.com/  

Mintz Levin - Privacy & Security Matters: https://www.privacyandsecuritymatters.com/ 

FieldFisher - Privacy Law Blog: http://privacylawblog.fieldfisher.com/   

PriceWaterHouseCoopers: https://www.pwc.com/us/en/cybersecurity/general-data-protection-regulation.html

Womble Bond Dickinson: https://www.womblebonddickinson.com/us/insights/alerts/gdpr-compliance-task-force 

IAPP's Privacy Vendor List