GDPR (General Data Protection Regulation)
EU GDPR (General Data Protection Regulation) is a far-reaching privacy regulation in the European Union. It covers personal information and activities taking place within the European Union even when the party processing the personal information is not in the EU. GDPR is a law established at the European Union level and comes with hefty penalties. It is automatically in force in all EU countries and will start being enforced on May 25, 2018.
The definition of personal information in the legislation is extremely broad. It basically covers any information that has been or can be associated with a particular natural person.
- Introductory Videos
- Links to the law and official guidance
- EU Data Protection Directive (DPD)
- European Court of Justice decisions around GDPR
- Resources for marketing professionals
- Guidance from law offices, associations, and consultants
- Press and vendor articles about GDPR
Introduction to GDPR
Introduction to GDPR by head of policy at UK Information Commissioner's Office.
EU GDPR requirements & SSH
Webinar with IDC's Rob Westervelt and Director of Compliance Fouad Khalil from SSH Communications Security. Both general and SSH-specific guidance on how to comply with GDPR and particulary its data protection requirements.
Links to the law and official guidance
These links provide the text of the General Data Protection Regulation, as well as commentary on the regulation by the data protection offices of various EU countries. The commentary may help interpret the regulations.
- Text of the EU GDPR law, indexed for online access
- Text of the EU GDPR, in all European Languages
- Wikipedia: General Data Protection Regulation
- UK Information Commissioner's Office on GDPR
- Ireland data protection commissioner on GDPR
- International Chamber of Commerce on GDPR
EU Data Protection Directive (DPD)
The new regulation largely supersedes the older Data Protection Directive. For reference, the old regulation is provided here.
- Text of the EU Data Protection Directive (DPD)
- Techtarget Whatis: EU Data Protection Directive (Directive 95/46/EC)
- UK Data Protection Act, with links to text
- Wikipedia: UK Data Protection Act 1998
European Court of Justice decisions around GDPR
The European Court of Justice has already made several decisions that are important for interpreting the regulation. Decisions on IP addresses and cybersecurity as a valid justification for processing them are important for many organizations.
- Reform of EU Data protection rules
- EU: Cour of Justice rules on dynamic IP addresses
- ECJ confirms dynamic IP addresses may constitute personal data but can be logged to combat cyberattacks
- Reprieve for IT departments as EU court rules on IP addresses
- ECJ declares IP addresses are personal data
- ECJ rules IP address is PII
- In Breyer decision today, Europe's highest court rules on definition of personal data
- European Court of Justice: Safe Harbor Decision Is Invalid
- European Court of Justice rules against mass data retention in EU
- ECJ declares the data retention directive to be invalid: what's next?
- A telephone subscriber's consent to the publication of his data also covers its use in another Member State
Resources for marketing professionals
The regulation is particularly sweeping with respect to Internet marketing and marketing analytics. These references provide guidance for marketing professionals.
- Digiday: A marketer's guide to the looming EU Global Data Protection Regulation
- UK Direct Marketing Association: General Data Protection Regulation
- EU escalates legal action against UK over behavioral advertising
- Which US Businesses must comply with EU data protection laws
- IAPP: Top 10 operational impacts of the GDPR: Part 5 - Profiling
- Hubspot: Data Privacy Resources
- Hubspot data processing agreement
- Preparing for GDPR: Waht does it mean for HubSpot users?
- GDPR for marketers: How can you become compliant in time
- Piwik Pro: How will GDPR affect your web analytics tracking?
- eWeek: Google reiterates commitment to EU's General Data Protection Regulation
- eWeek: EU certifies Google data transfer contracts comply with privacy rules
- SAS: How GDPR will affect analytics and data management
- The GDPR, Cookie Consent and Customer Centric Privacy
Guidance from law offices, associations, and consultants
Various law offices have written about the regulation and provide guidance for its interpretation and interpretation. These law offices are probably good candidates to talk to when needing assistance. However, this should not be read as any kind of endorsement.
- IAPP: Top 10 operational impacts of the GDPR: Part 1 - data security and breach notification
- EPIC: EU General Data Protection Regulation
- DLA Piper on GDPR
- Allen & Overy on GDPR
- Proskauer: A primer on the GDPR: What you need to know
- White & Case: Unlocking the EU General Data Protection Regulation
- White & Case: Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law
- PA Consulting: The EU GDPR
- Trunomi: EU GDPR Portal
- Protiviti: European Union General Data Protection Regulation (GDPR)
- MacRoberts: EU General Data Protection Regulation (GDPR)
- Sidley: Preparing for the EU GDPR - What you need to know
- Loyens & Loeff on GDPR
- McDermott Will & Emery: The privacy Shield: September 30, 2016, deadline for early self-certification offers compliance opportunity and risk
- Womble Carlyle Sandridge & Rice: A Fragile Shield? Managing the risks of EU-US data transfer
- Foley Hoag: At long last, US-EU privacy shield adopted by EU member states
- Foley & Lardner: To join or not to join: Is the EU-US privacy shield right for you?
- King & Spalding: EU-US privacy shield framework agreement reached - replaces safe harbor agreement
- Locke Lord: The General Data Protection Regulation: What insurers should do now to prepare for its implementation
- Proskauer: The basics of international privacy law for commercial litigators, part 1: the EU
- WilmerHale: A closer look at cybersecurity legislation and regulations in the US and abroad - Global overview
Press and vendor articles about GDPR
Various press articles also provide useful guidance and information. Here are some of the more relevant.
- CSO: General Data Protection Regulation (GDPR) requirements, deadlines and facts
- Information Age: GDPR compliance: what organizations need to know
- Dark Reading: 8 Things Every Security Pro Should Know About GDPR
- Forbes: GDPR: EU goes against the global grain to protect privacy
- TechCrunch: On data protection Brexit means mirroring EU rules, confirms UK minister
- Computer Weekly: Essential Guide to the EU General Data Protection Regulation (GDPR)
- Telegraph: How SMEs can prepare for the General Data Protection Regulation
- ZDNet: As EU's General Data Protection Regulation (GDPR) looms, tech vendors ready pitches
- IT Governance on GDPR
- The Register: GDPR: Do not resist! Unless you wantr a visit from the data police
- Adexchanger: The EU's GDPR is a big deal: Acxiom execs describe the impact
- Neowin: GDPR: What it is, and what it means for you
- Stibo Systems: New EU General Data Protection Regulation (GDPR): What it is and what you need to do
- Stibo Systems: How to prepare for GDPR: A five-step guide
- Trusthub: The road to GDPR compliance
The references herein are for information only and should not be seen as endorsements. Nothing herein is intended as legal advise and we recommend consulting a competent attorney to interpret the regulation in the unique circumstances of each organization.