CIPL Project on EU GDPR Implementation
The political agreement on the EU General Data Protection Regulation (GDPR) has been reached and the new Regulation will be on the books by the end of the first quarter of 2016. Organisations will have a two year period (spring 2016-spring 2018) to assess the impact of the Regulation on their activities, devise and execute implementation strategies and make changes to their business processes, compliance infrastructures and IT systems to reflect the new requirements. The new regime will bring changes not only to organisations, but also to the data protection authorities and how they oversee, supervise and enforce the new rules in Europe.
Some of the immediate impacts of the GDPR relate to its jurisdictional and extraterritorial reach; new requirements concerning privacy impact assessments, privacy by design, pseudonymisation, data breach notification, data processor obligations, organisational accountability and data protection officers, data protection principles, rights of individuals; legal liability, remedies, fines; and the roles and powers of data protection authorities.
Importantly, despite the ambition to harmonise data protection rules across Europe, the GDPR leaves a significant margin of maneuver to Member States in its application. It also gives both the EU Commission and the new European Data Protection Board (EDPB) powers to enact implementing regulations and guidance.
To address these changes, CIPL is launching a special project in March 2016 – the CIPL PROJECT ON GDPR IMPLEMENTATION.
The rationale for the project is the need for a constructive and expert dialogue between industry, regulators and key policy makers, that will inform and build bridges between different stakeholders, help develop consistent and forward thinking interpretations of the new requirements and devise best practices for implementing the requirements. Consistent interpretation, implementation, oversight and enforcement of the new rules across the EU Member States are all critical to the success of the GDPR and the European Single Digital Market Strategy. Finally, the GDPR and the way it which it is implemented will have a significant influence on other countries and regions around the world as they develop their data privacy regimes.
The project aims to establish a forum for an expert dialogue between industry representatives, DPAs, the European Data Protection Supervisor (EDPS), the EU Commission, Member States representatives and academic experts through a series of workshops, webinars and white papers with the following specific objectives:
Proposed Project Topics
The specific topics to be covered in the project will be ultimately decided by the project Steering Committee, DPAs and other project stakeholders. The proposed topics of focus include application of the law to controllers and processors, main establishment and OSS, pseudonymisation, legitimacy (consent, legitimate interest-based processing), further processing for new purposes, “profiling”, risk management, privacy impact assessments, data breach notification, cross-border data transfer mechanisms, demonstrating accountability, privacy seals and certifications, and the new powers, responsibilities and working of DPAs and the EDPB.
Download the project "5 Buckets" focus topics.
Project White Papers, Written Submissions and Articles
Project Workshops and Webinars
Workshop I: Towards a Successful and Consistent Implementation of the GDPR
March 16, 2016
Webinar: The Role of "Risk" and "High Risk" Under the GDPR
May 24, 2016
Webinar: The Role of the DPO Under the GDPR
June 22, 2016
CIPL GDPR Implementation Workshop II: The Role of the Data Protection Officer (DPO) and Risk and High Risk under the GDPR
September 19, 2016
Webinar: Understanding Certifications, Seals and Marks under the GDPR
October 27, 2016