On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside and outside the EU.
The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the date this law goes into implementation. We have shared below some interesting points that we’ve seen arising recently, all of which relate to how things are likely to develop from today onwards, including enforcement predictions, challenges related to operationalizing data subject access procedures, and how the GDPR may change the data privacy litigation landscape in Europe.
For many organizations that are based outside the EU and took the “wait and see” approach, our checklist may come in handy, which gives an illustrative overview of the requirements likely to impact most types of businesses and the practical steps that organizations need to take to meet those requirements. We also have a chatbot powered by artificial intelligence that helps clients to determine whether the GDPR applies to their business.
On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017.
On February 6, 2018, the Article 29 Working Party (WP29) adopted updated guidelines on Binding Corporate Rules (“BCRs“), which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs.
As the line between work and home becomes increasingly blurred, the federal, British Columbia and Alberta privacy commissioners have issued joint guidelines to help organizations reduce the risks of privacy breaches with respect to employers’ data accessed from employee-owned devices (EODs), while also securing employees’ privacy rights regarding any personal information stored on EODs.