As we approach May 25 2018, the internet is becoming flooded by GDPR related articles (see eg. Google Trends for GDPR). This is the date from when the new EU General Data Protection Regulation (GDPR) goes into effect.
But in lot of cases you may find these articles contradictory, incomplete or subjective. Who to trust and how to make decisions is a dilemma for many. Find the truth below.
What is GDPR?
The aim of this article is not to declare the basics of the GDPR, but in a nutshell: it is the EU’s new data privacy regulation (General Data Protection Regulation). It governs how the data of European citizens must be handled and organisations handling personal data need to prove their compliance. Penalties may exceed 20 million Euros.
Which statement should you believe regarding GDPR?
At this point we should point out that currently no one has any real experience with the new GDPR as we are speaking of a regulation what will come into force in the future.
Of course, it makes sense to read blog posts, attend conferences, meetups or trainings about GDPR (eg. it may reduce the risk of receiving a large penalty), but the fact is that there is a lot of misinformation out there and rarely do they contain any references to the official sources.
Currently, anything beyond the official sources should be considered as an opinion!
If you want be sure, you have two options:
Read the official sources
At the very least, validate the information you’ve gathered elsewhere
It is not easy to differentiate the official pages from the simply “official looking” ones. Our aim is to create a list of the GDPR related official materials.
GDPR related official materials currently available
1. The official GDPR regulation
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 27 April 2016
On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(accessible in multiple languages)
Chapters of the regulation
The regulation is considerably long and, to be honest, from a UX perspective it’s a mess. If you read the whole regulation you will find that there are similarly looking parts almost repeated word-by-word, but it is intentional.
For easier orientation here is a clickable list of the GDPR chapters:
Hint: Very useful part: CHAPTER I Article 4 Definitions (eg. what is ‘personal data’)
2. WP29 guidelines
The aim of these guidelines from the Article 29 Working Party is to clarify the regulation and also provide best practice recommendations. http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360
Among the guidelines there are already accepted and there are some adopted, but not accepted yet.
The accepted WP29 guidelines:
Guidelines on the application and setting of administrative fines (wp253).
Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679, wp253
Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01)
Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, wp248rev.01
The adopted, but still to be finalized state WP29 guidelines:
3. The local regulations
Member States may adopt specific rules, provide for exemptions or derogations or may further determine specific conditions regarding the GDPR. The effect of these legal changes is worth being subsequently monitored on the websites of Data Protection Authorities of the given Member State.
The list of National Data Protection Authorities: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080
Hint: You can turn to a National Data Protection Authority with your questions. They should answer for free and their answers are also official.
+ A bonus: WP29 Letters, Opinions and other documents for more details
GDPR isn’t easy and even lawyers won't give you a guarantee if you are GDPR compliant or not and neither will this article. To be safeguard yourself, read the official sources instead of opinions and you can make decisions based on these trustworthy sources.
The good news: the content of these materials will not change in the near future.
We will produce more valuable GDPR articles soon, focusing on specific areas where we will try to reference to the official sources as much as it is possible. Stay tuned!
(Last update of the sources: 12 March 2018)
Do you have a Drupal website and you want it to be GDPR compliant?
Please get in touch and see how we can help.