13 June 2017
There is less than year to go until the GDPR is enforced throughout Europe and the guidance is coming thick and fast.
I have been at a few conferences with the ICO and their view on fines is worth noting. Ken Macdonald, Head of ICO Regions, said the following at a Capita Conference on data sharing in Edinburgh in March this year: We are not intending to take a moderate approach as you will have had 2 years to prepare.
However Ken also said at the IRMS/NADPO Conference in April: We’ll look far more favourably on an organisation who’ve thought about compliance, even if we think they’re wrong.
The problem has been that the Regulation itself provides the bones of what is expected but we have been waiting on guidance from Europe, from the ICO and from the DCMS. However there is now guidance available both in draft and final format and an idea of what to expect - I wanted to capture all that information in one place for your convenience.
I hear a lot of frustration being expressed from various sectors about the lack of guidance coupled with the call to start thinking about compliance now. All of the ICO Guidance is caveated and may change. There are a lot of ‘unknowns’ but there are now many ‘knowns’ and organisations must start to work on compliance.
The following Guidelines have been adopted by the WP29 following a consultation period which ended on 29 January 2017:
- Data Protection Officers
- The Right to Data Portability
- The Lead Supervisory Authorities
The Draft Guidelines in relation to Data Privacy Impact Assessments were out for consultation and closed on 23 May 2017.
The WP29 has also indicated that it will produce Guidelines in relation to the following areas:
- Administrative fines
- Certification
- Profiling
- Consent
- Transparency
- Notification of personal data breaches
- Tools for international transfers
In relation to two of those areas (consent and profiling) the ICO has already produced its draft guidance.
The ICO’s Overview of the GDPR which contains the 12 Steps to Take Now is a living document which will be updated from time to time as further guidance is produced from the WP29 and DCMS. There is also a self-assessment tool to assist you to prepare. The latest Code of Practice on Privacy Notices also included reference to the information that the GDPR will require to be included in notices come May 2018.
The ICO’s Draft Guidance on Consent was issued in March 2017 and the final version is expected in June 2017 although it is understood that there were more than 300 responses and that this time scale may slip. This changes the requirements to obtain valid consent considerably and thought should be given to this issue in particular now.
Most recently the ICO produced Draft Guidance on Data Profiling. Responses were due by 28 April 2017 with final guidance to follow.
Department for Culture, Media and Sport
There are over 50 areas set out in the GDPR where Member States can exercise discretion about how the GDPR will apply in each country. The DCMS issued a consultation paper asking for comment on each of these by 10 May 2017. There is no additional information in the document. It simply identified the areas where there is discretion and asked for comment. The ICO’s Response provides some insight into its thinking and is worth a read.
For more info visit our GDPR updates page.