CIPL Project on EU GDPR Implementation

Project Background
The political agreement on the EU General Data Protection Regulation (GDPR) has been reached and the new Regulation will be on the books by the end of the first quarter of 2016. Organisations will have a two year period (spring 2016-spring 2018) to assess the impact of the Regulation on their activities, devise and execute implementation strategies and make changes to their business processes, compliance infrastructures and IT systems to reflect the new requirements.  The new regime will bring changes not only to organisations, but also to the data protection authorities and how they oversee, supervise and enforce the new rules in Europe.
 
Some of the immediate impacts of the GDPR relate to its jurisdictional and extraterritorial reach; new requirements concerning privacy impact assessments, privacy by design, pseudonymisation, data breach notification, data processor obligations, organisational accountability and data protection officers, data protection principles, rights of individuals; legal liability, remedies, fines; and the roles and powers of data protection authorities.
 
Importantly, despite the ambition to harmonise data protection rules across Europe, the GDPR leaves a significant margin of maneuver to Member States in its application. It also gives both the EU Commission and the new European Data Protection Board (EDPB) powers to enact implementing regulations and guidance.
 
To address these changes, CIPL is launching a special project in March 2016 – the CIPL PROJECT ON GDPR IMPLEMENTATION.
 
The rationale for the project is the need for a constructive and expert dialogue between industry, regulators and key policy makers, that will inform and build bridges between different stakeholders, help develop consistent and forward thinking interpretations of the new requirements and  devise best practices for implementing the requirements.  Consistent interpretation, implementation, oversight and enforcement of the new rules across the EU Member States are all critical to the success of the GDPR and the European Single Digital Market Strategy.  Finally, the GDPR and the way it which it is implemented will have a significant influence on other countries and regions around the world as they develop their data privacy regimes.  

Project Objectives
The project aims to establish a forum for an expert dialogue between industry representatives, DPAs, the European Data Protection Supervisor (EDPS), the EU Commission, Member States representatives and academic experts through a series of workshops, webinars and white papers with the following specific objectives: 
  • Informing and advancing constructive and forward-thinking interpretations of key GDPR requirements
  • Facilitating consistency in the interpretation of the GDPR across the EU
  • Facilitating consistency in the further implementation of the GDPR by Member States, EU Commission and EDPB
  • Examining best practices, as well as challenges, in the implementation of the key GDPR requirements
  • Sharing industry experiences and views to benchmark, coordinate and streamline the implementation of new compliance measures; and
  • Examining how the new GDPR requirements should be interpreted and implemented to advance the European Digital Single Market strategy and data-driven innovation, while protecting the privacy of individuals and respecting the fundamental right to data protection

Proposed Project Topics
The specific topics to be covered in the project will be ultimately decided by the project Steering Committee, DPAs and other project stakeholders. The proposed topics of focus include application of the law to controllers and processors, main establishment and OSS, pseudonymisation, legitimacy (consent, legitimate interest-based processing), further processing for new purposes, “profiling”, risk management, privacy impact assessments, data breach notification, cross-border data transfer mechanisms, demonstrating accountability, privacy seals and certifications, and the new powers, responsibilities and working of DPAs and the EDPB. 

Download the project "5 Buckets" focus topics.

Project Timeline
  • ​January 2016 – Formation of project Steering Committee and discussion with project stakeholders
  • March 2016 – Official launch of the project
  • March 16, 2016 – Workshop I: Towards a Successful and Consistent Implementation of the GDPR (Amsterdam, Netherlands)
  • May 24, 2016 – Webinar: A Deep Dive on “Risk” and “High Risk” in the GDPR
  • June 22, 2016 – Webinar: A Deep Dive on the Role of the DPO under the GDPR
  • September 19, 2016  – Workshop II: The Role of the Data Protection Officer (DPO) and Risk and High Risk under the GDPR (Paris, France)
  • September 20, 2016 - Industry GDPR Implementation Roundtable (Hosted by Orange, S.A.) (Paris, France)
  • October 27, 2016 - Webinar: Understanding Certifications, Seals and Marks under the GDPR
  • November 8, 2016 - Working Session on Seals, Certifications and Codes of Conduct (Brussels, Belgium)
  • March 6-7, 2017 – Workshop III: GDPR Implementation - Status, Key Challenges and Understanding the Core Principles of Consent, Legitimate Interest and Transparency (Madrid, Spain)
  • June 14, 2017 - Working Session on Smart Data Protection - How Can DPAs Maximize Effectiveness within the Context of Increased Responsibilities and Limited Resources? (Dublin, Ireland)

Project White Papers, Written Submissions and Articles 
CIPL Response to the EDPB's Guidelines on the Application of Article 65(1)(a) of the GDPR
May 28, 2021

EDPB Certification Comments - Comments by the Centre for Information Policy Leadership on the European Data Protection Board's "Draft Guidelines 1/2018 on certification and identifying certification criteria in accordance with articles 42 and 43 of Regulation 2016/679" adopted on 25 May 2018"
July 10, 2018

ePrivacy Study - Study prepared for CIPL by Normally on "How Will the ePrivacy Regulation affect the design of digital services and their user experiences?"
May 14, 2018

​WP29 Certification Comments - Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party's "Draft Guidelines on the accreditation of certification bodies under Regulation (EU) 2016/679" adopted on 6 February 2018
March 29, 2018

CIPL Factsheet on ePrivacy and the GDPR - Factsheet on the key issues relating to the relationship between the proposed ePrivacy Regulation (ePR) and the General Data Protection Regulation (GDPR)
March 20, 2018

Children's Data and Consent - CIPL White Paper on GDPR Implementation in Respect of Children's Data and Consent
March 6, 2018

WP29 Consent Comments - Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party's "Guidelines on Consent" adopted on 28 November 2017
January 29, 2018

WP29 Transparency Comments - Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party's "Guidelines on Transparency' adopted on 28 November 2017
January 29, 2018

WP29 BCR Comments - Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party's Updated Working Documents Setting Up Tables for Binding Corporate Rules and Processor Binding Corporate Rules adopted on 29 November 2017
January 17, 2018

WP29 Breach Notification Comments - Comments by the Centre for Information Policy Leadership on the Article 29 Working Party's "Guidelines on Personal Data Breach Notification under Regulation 2016/679" adopted on 3 October 2017
December 1, 2017 ​

WP29 Profiling and ADM Comments - Comments by the Centre for Information Policy Leadership on the Article 29 data Protection Working Party's "Guidelines on Automated Individual Decision-Making and Profiling" adapted on 3 October 2017
December 1, 2017 

ePrivacy Study - Study prepared for CIPL by Professor Niko Härting of HÄRTING Rechtsanwälte PartGmbB on the implications of the proposed ePrivacy Regulation in the EU
October 19, 2017

Regulating for Results Paper - Regulating for Results: Strategies and Priorities for Leadership and Engagement
September 25, 2017 (Updated on October 10, 2017)

​ePrivacy Paper - Comments on the Proposal for an ePrivacy Regulation
September 11, 2017

WP29 DPIA Comments - Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party’s “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679” adopted on 4 April 2017
May 19, 2017

Transparency, Consent and Legitimate Interest Paper - Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR
May 19, 2017

GDPR Workshop III  Key Takeaways - CIPL Madrid Workshop Key Takeaways
April 27, 2017

GDPR Implementation Challenges Summary Document - GDPR Implementation Challenges: A Summary of CIPL GDPR Project Participants’ Feedback
April 27, 2017

Certifications Paper - Certifications, Seals and Marks under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms
April 12, 2017

Legitimate Interest Paper - CIPL Examples of Legitimate Interest Grounds for Processing of Personal Data 
March 16, 2017 (Updated on April 27, 2017)​

WP29 LSA Comments - Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party’s “Guidelines for identifying a controller or processor’s lead supervisory authority” adopted on 13 December 2016
February 15, 2017

WP29 Data Portability Comments - Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party’s “Guidelines on the right to data portability” adopted on 13 December 2016
February 15, 2017

WP29 DPO Comments - Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party’s “Guidelines on Data Protection Officers (DPOs)” adopted on 13 December 2016
January 24, 2017

Risk Paper - Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR
December 21, 2016

OSS Paper - The One-Stop-Shop and the Lead DPA as Co-operation Mechanisms in the GDPR
November 30, 2016

DPO Paper - Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation
November 17, 2016 

Workshop II Report - The Role of the Data Protection Officer (DPO) and Risk and High Risk under the GDPR
October 5, 2016

Workshop I Report -  Implementing and and Interpreting the GDPR: Challenges and Opportunities
May 6, 2016

GDPR Implementation Chart - EU General Data Protection Regulation: Harmonization Limits, Further Implementation and Standardization
April 19, 2016

IAPP Privacy Perspective Op-Ed: "How to Build a Cathedral in Two Years"
April 1, 2016

Project Workshops and Webinars
CIPL Working Session on Profiling, Automated Decision-Making and Cross-Border Data Transfers under the GDPR
November 7, 2017
Webinar: Profiling and Automated Decision-Making under the GDPR
July 27, 2017
CIPL GDPR Project Senior Leaders Working Session on Smart Data Protection - How Can DPAs Maximise Effectiveness within the Context of Increased Responsibilites and Limited Resources?
June 14, 2017Workshop III: GDPR Implementation - Status, Key Challenges and Understanding the Core Principles of Consent, Legitimate Interest and Transparency
March 6-7, 2017
Working Session on Seals, Certifications and Codes of Conduct
November 8, 2016
Webinar: Understanding Certifications, Seals and Marks under the GDPR
October 27, 2016
Workshop II: The Role of the Data Protection Officer (DPO) and Risk and High Risk under the GDPR
September 19, 2016
Paris Webinar: The Role of the DPO Under the GDPR
June 22, 2016 ​Webinar: The Role of "Risk" and "High Risk" Under the GDPR
May 24, 2016
Workshop I: Towards a Successful and Consistent Implementation of the GDPR 
March 16, 2016
​Amsterdam