The EU Article 29 Data Protection Working Party (WP 29) is continuing its work in preparation for the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018. Last month, the WP29 released three sets of guidelines for controllers and processors of personal data, including guidelines on the right to data portability, on data protection officers, and on the lead supervisory authority. Key takeaways from these three guidelines can be found on our blog.

This month, WP29 announced that it adopted its “2017 GDPR Action Plan.” The Plan identifies two areas of focus: (1) follow up on 2016 topics, and (2) new 2017 priorities. The follow-up work will include finalizing guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments, administrative fines, the setting up of the European Data Protection Board (EDPB), and the preparation of the one-stop-shop” and EDPB consistency mechanism.

This year, WP29 plans to prepare and release guidelines on the topics of consent, profiling, and transparency. The WP29 will also work on the update of already existing opinions on data transfers to third countries and data breach notifications. This year, companies that rely on transfers of personal data from the EU may have the following three opportunities to engage with the WP29 and EU Data Protection Authorities (DPAs):

  • On April 5-6, 2017, the WP29 will hold a Fablab meeting, where interested stakeholders will have an opportunity to present their views and comments on the identified 2017 priorities.
  • On May 18-19, 2017, the WP29 will organize an interactive workshop where non-EU counterparts will be invited to exchange views on the GPDR and its implementation by the WP29.
  • The press release also states that relevant public consultations “may be” launched at a national level by local DPAs.

The WP29 plans to review its 2017 plan periodically and prepare a new plan for 2018 to finish the preparation work. We will be commenting on the forthcoming GDPR guidelines as they are released by the WP29.