19 October 2017
The Article 29 Working Party – the group of EU data protection authorities charged with agreeing European-wide guidance on GDPR – has published guidelines on profiling and breach reporting. Guidelines on administrative fines that were adopted earlier this month, will be published soon too.
Consistency across the EU is one of the fundamental drivers of the GDPR and, as the UK member of Article 29 (WP29), we’re either leading or assisting in the development of guidance on some of the main aspects of the law.
For example, the feedback we received from stakeholders on our discussion paper on profiling and automated decision-making, helped us in leading the important discussions that resulted in the final European guidelines.
Similarly, consultation responses to our draft guidance on consent are informing our discussions in Europe too. Once WP29 publishes its guidelines – expected by the end of this year – we can continue refining our own, UK-specific guidance on this.
We’re also playing a central role in drafting Europe-wide guidelines on transparency.
In addition to our work at European level we are continuing to work on the wider suite of ICO guidance, prioritising areas that are not on the WP29 workplan but where we have identified a particular need and we think we can add value for our UK audience.
For example, in response to feedback on our draft consent guidance, we’ve committed to produce guidance on the other lawful bases for processing, including legitimate interests.
We have published draft guidance on contracts between data controllers and processors, and we are currently analysing the feedback we received in order to produce the final version. We will also issue guidance on accountability and documentation, and on children’s data, for consultation.
We’re also prioritising work to produce our Guide to the GDPR. It expands the content of the current overview to make it a comprehensive guide along the same lines as the current Guide to Data Protection.
The ICO remains committed to helping organisations to improve their practices and prepare for the GDPR that comes into effect on 25 May 2018.
There’s a range of tools and resources on the Data Protection reform section of our website including a what to expect when page that gives details of upcoming guidance and milestones. We’ve also just announced a dedicated telephone advice service for small and micro businesses and have committed to updating our simple-to-use SME toolkit into a GDPR checklist that will allow businesses themselves to identify gaps in their own preparation for the new law. We’ll also publish a more targeted version of our 12 steps to take now document to help small businesses prepare.
Jo Pedder is Head of Policy and Engagement. She has lead responsibility for the ICO’s guidance on the Data Protection Act and the Freedom of Information Act.