It’s hard to believe that it has been a month since GDPR took effect. Since May 25, the sky has not fallen, nor have we seen widespread lawsuits or regulatory scrutiny. For those companies who are still working towards compliance with this new EU law, a round up of guidance from various EU regulators may be helpful. In the UK, the ICO maintains information on its site, including an assessment toolkit. In France, the CNIL also has useful tools in English for companies, including updates to its privacy impact assessment software. In Spain, the data protection agency has issued guides (in Spanish), including for breaches, impact assessments, and risk assessments.
Also of use is the website of the replacement to the Article 29 Working Party, the European Data Protection Board. That page contains an archive of the Article 29 working party documents, as well as new materials for the EDPB. These include guidelines for companies and a list of the data protection authorities in the Member States.
Putting it Into Practice: As we move further from GDPR’s May 25 implementation date, we expect to see more guidance and direction from both the EDPB and Member State DPAs regarding compliance with this sweeping European privacy legislation.