The official guidelines for the application of the EU Uniform Data Protection Regulation (Regulation 2016/679, "Regulation" or "GDPR") have been launched to help interpret the rules of the Regulation. In addition to the numerous published publications, blog posts and opinions, the official positions that the data controllers and the processors can rely on in preparing for the application of the Regulation have started to appear.
Article 29 Working Group (WP29) adopted the final version of its guidelines, which had been published for commenting earlier, on April 5, 2017. These guidelines cover the following areas of the Regulation:
- WP242: Guidelines on the right to data portability;
- WP243: Guidelines on Data Protection Officers (“DPOs”); and
- WP244: Guidelines for identifying a controller or processor’s lead supervisory authority.
WP29 also published further draft guidelines on Data Protection Impact Assessment (DPIA) and on determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 (WP248). This draft may be commented upon until May 23, 2017.
(I will cover some of the guidelines in more detail in later posts.)
According to WP29's work plan, guidelines can be expected in further areas (e.g, consent, profiling, data incidents, data transmission).
The National Data Protection and Information Authority (Hungarian DPA) has not yet published specific guidelines regarding the Regulation. At the DPA’s website, a short, 12-point sequence of steps is available under the title “preparation for the application of the Regulation”.
Some Member State authorities have already begun issuing their own guidelines. The Information Commissioner's Office (UK), which has prepared guidelines for consents and profiling (the latter can be commented upon until 28 April), seems to be particularly active. In addition, they released an updated version of their summary on big data issues, now with respect to the relevant rules of GDPR.