The ICO is continuing to work on guidance to assist controllers in the run up to May 2018 when data protection reforms will take effect. This update explains what we have been doing since the previous version of this What to expect and when document and our plans for the future.

What we have been doing since April

We published the previous version of this document in April 2017. Since then we have been working on the following:

  • we published our Getting ready for the GDPR checklist as part of our SME Toolkit;
  • we updated our 12 steps to take now document;
  • we have continued to work within the EU’s Article 29 Working Party on drafting EU-level guidelines. We are leading the drafting of the guidelines on profiling, data breaches and administrative fines and we are contributing to the work on consent, transparency, certification and international transfers;
  • we have analysed the feedback we received on our draft guidance on consent and our discussion document on profiling;
  • we carried out user testing to help us to improve our data protection reform guidance pages;
  • we have been assisting DCMS and Home Office where we can to help them with their work drafting a Data Protection Bill; and
  • we have been planning the structure and priority areas for our own GDPR guidance.

The Article 29 Working Party issued guidelines on data protection impact assessments and high risk processing for consultation in April 2017. The consultation closed on 23 May.

Our plans for the next phase of work

ICO guidance

For the rest of this year we will be working to turn the Overview of the GDPR into a Guide to GDPR, which will be similar to our existing guides to other legislation. We will be filling in gaps in its coverage and expanding the content to make it a comprehensive guide. This will include ‘In brief’ summaries and checklists as well as more detailed multi-page content in key areas. All of this content will be presented as web pages and downloadable. We will also continue to include links to relevant Article 29 guidelines. We will be working on this for the rest of this year and all the new content should available by early next year.

As part of this work we will produce detailed guidance in 2017 on:

  • contracts between controllers and data processors;
  • children’s data; and
  • accountability, including documentation.

We will invite comments on these for a short period before finalising the text. 

We also intend to publish detailed guidance on consent (taking account of the comments we received on the draft we issued previously) and on the other lawful bases for processing, including legitimate interests. We expect this will be early in 2018, as we think it is reasonable to wait until after the Article 29 Working Party guidelines on consent have been adopted. 

We will also publish summaries of the responses we received on the  profiling and consent papers we issued earlier this year.

Article 29 guidelines

We expect that the Article 29 guidelines on profiling and automated decision making will be adopted in October, followed by the guidelines on consent, transparency and breach notification at the end of the year. These are key reference documents that sit alongside our own guidance. At the same time, we recognise that not all controllers will need the level of detail that these guidelines provide; that is why we are working to ensure that our Guide to GDPR contains the key points that all controllers need to be aware of.

Looking ahead to the new Data Protection Act

It is important to remember that the GDPR is only a part of the overall data protection framework. The Government has confirmed its plans to introduce a Data Protection Bill into Parliament. This should become law in 2018 replacing the current Act. It will:

  • set out derogations from the GDPR, ie areas where Member States can decide provisions, such as around some exemptions;
  • contain other national implementing measures, such as the Commissioner’s powers;
  • implement the Law Enforcement Directive, which covers processing by competent authorities such as police forces for law enforcement purposes; and
  • cover those areas of data processing that are not covered by either GDPR or the Directive and are outside the scope of EU law, so that there will be no gaps in the UK’s data protection regime.

We will be following the progress of the Data Protection Bill closely and will contribute our views as appropriate during its passage through Parliament. Any legislation introduced into Parliament is open to change so  once we have a clearer idea of its final form we will be able to make firmer plans and develop the structure and the content of the guidance. Our aim is to provide a suite of data protection guidance that is as comprehensive as possible by May 2018.

Version 3
13 September 2017