ICO issues updated GDPR guidance – watch this space…

January 19, 2017

This week the UK Information Commissioner’s Office (“ICO”) published updated guidance setting out what organisations can expect from the ICO in the run up to the EU General Data Protection Regulation (“GDPR”) being fully implemented in the UK on 25 May 2018.

A link to the guidance can be found here on the ICO’s website but the key takeaways are:

  1. ICO moves from GDPR implementation phase 1 to phase 2 – the ICO previously set out three phases categorising the work it would undertake to implement the GDPR. These phases are: phase 1, familiarisation and key building blocks; phase 2, guidance structure and mapping, process review and initial development of associated tools and phase 3, bulk guidance refresh/production and review. The ICO has indicated it is moving from phase 1 to phase 2 as opposed to overlapping as initially planned.
  1. ICO will continue to focus on three key areas – the ICO has committed to focusing on three key areas: European guidance issued by the Article 29 Working Party (“A29 WP”), development of its own guidance and other policy work.

The ICO’s update clarified that they will be focusing on the three key areas identified as follows:

  1. European Guidance
    • ICO will continue to participate in A29 WP - the ICO confirmed that it will continue to fully participate in the A29 WP as the UK’s representative including taking on a leading role in the development of some of the guidelines. In addition, the ICO confirmed it will be chairing the technology sub-group.
    • ICO will contribute to preparation of A29 WP guidelines – the ICO will publish the guidelines on its website once issued and will not duplicate any of the A29 WP’s guidelines but may publish additional advice to clarify any points.
    • A29 WP has finalised its work plan for 2017 – the ICO confirmed that the A29 WP intends to publish guidance on the following topics which will be available as a link from the ICO’s Overview (found here):

                        i) Administrative fines

                        ii) High risk processing and data protection impact assessments

                        iii) Certification

                        iv) Profiling

                        v) Consent

                        vi) Transparency

                        vii) Notification of personal data breaches

                        viii) Tools for international transfers

  1. ICO Guidance
    • ICO’s Overview of GDPR will become core Guide to GDPR – the intention is that the ICO’s GDPR Overview will become its core GDPR guidance which will be a living document and expanded as the law develops.
    • ICO will develop additional guidance where necessary – the ICO may develop additional guidance on issues not covered by the A29 WP.
    • New guidance to be published in early 2017 – the ICO confirmed that it intends to publish guidance on ‘contracts and liability’ and ‘consent’ in early 2017.
  1. Other policy work – the ICO confirmed it has been assessing the GDPR provisions related to profiling, risk, children’s personal data and international transfers and the potential for cross-over of these areas. We can expect some form of guidance on these areas by the end of Q2 2017 as well as version 2 of the ICO’s big data paper which should be published in February 2017.

The overall message is that “The ICO remains committed to helping organisations to improve their practices and prepare for the GDPR” in a consistent and pragmatic way. Stay tuned for further GDPR guidance - the countdown has begun!  

Samantha Sayers  | Solicitor – Cyber Security and Data Protection | PwC - UK
[email protected] |+44 (0)20 7213 4697

More articles by Samantha Sayers