GDPR Celebrates One Month Anniversary
Posted on June 25, 2018
It’s hard to believe that it has been a month since GDPR took effect. Since May 25, the sky has not fallen, nor have we seen widespread lawsuits or regulatory scrutiny. For those companies who are still working towards compliance with this new EU law, a round up of guidance from various EU regulators may be helpful. In the UK, the ICO maintains information on its site, including an assessment toolkit. In France, the CNIL also has useful tools in English for companies, including updates to its privacy impact assessment software. In Spain, the data protection agency has issued guides (in Spanish), including for breaches, impact assessments, and risk assessments.
Also of use is the website of the replacement to the Article 29 Working Party, the European Data Protection Board. That page contains an archive of the Article 29 working party documents, as well as new materials for the EDPB. These include guidelines for companies and a list of the data protection authorities in the Member States.
PUTTING IT INTO PRACTICE: As we move further from GDPR’s May 25 implementation date, we expect to see more guidance and direction from both the EDPB and Member State DPAs regarding compliance with this sweeping European privacy legislation.
As GDPR Looms, Australia to Participate in APEC’s CBPR Program
Posted on January 11, 2018
Late last year, Australia’s Attorney General confirmed that Australia planned to participate in APEC’s Cross Border Privacy Rules (CBPR) system. The CBPR system was intended to help companies that want to transfer personal data across the borders of participating countries. Currently there are five participating countries: Canada, Japan, South Korea, Mexico, and the US. This scheme has been viewed by some as a hopeful complement to the Binding Corporate Rules concept under the EU Data Privacy Directive. In recognition of the overlap between the two, the Article 29 Working Party and the APEC Electronic Steering Group put together a checklist of the commonalities between Binding Corporate Rules and CBPR certification.
As next steps, Australia needs to finalize its participation in the program. It has indicated that it will be working with the Office of the Australian Information Commission (OAIC) and businesses to implement the CBPR system. Then, Accountability Agents will conduct certifications on Australian companies who are interested in participating. It remains to be seen how the CBPR system, which has been expanding, will be impacted after the May 2018 implementation of GDPR.
PUTTING IT INTO PRACTICE: This approval shows that governments are continuing to think about how they can help companies address the need to transfer data across borders while addressing varying privacy requirements.
                    Eye on Privacy 2018 Year in Review 40