Two months before the EU's General Data Protection Regulation (GDPR) takes effect, the European Data Protection Supervisor (EDPS) has published two new sets of guidelines, providing advice to the EU institutions on how to adapt to this new chapter in EU data protection.

The guidelines address data protection requirements for the management and governance of IT infrastructure, in general, and for cloud computing services, specifically. They build on the principles enshrined in the GDPR, which will apply in the member states from 25 May.

“When we published our Strategy for the current mandate in 2015, we made readiness for the GDPR one of our top priorities,” said Wojciech Wiewiórowski, Assistant Supervisor at the EDPS. “We are contributing to this target through our work with the EU institutions, as well as through our preparation of the EDPB secretariat.”

The legislative process for the revision of data protection rules for EU institutions is not yet complete. For this reason, the EDPS guidelines use the data protection model outlined in the GDPR as a reference. However, the EDPS recommends that all institutions already start to take the new concepts, such as data protection by design and by default, outlined in the Guidelines into account, as the approach they advocate has already been agreed by the legislator.

These guidelines complement the efforts made by the EDPS over the last couple of years to prepare the EU institutions, agencies and bodies for the revised data protection rules. This includes an extensive set of guidelines on operational and technological matters, as well as a campaign of accountability visits aimed at top management in EU institutions and agencies and an ongoing series of training events for EU staff at all levels.