We are committed to helping organisations to prepare for the GDPR, which will apply in the United Kingdom from 25 May 2018. One of the main ways in which we do this is by publishing practical guidance and signposting guidance produced by other bodies. In planning this we take account of what our stakeholders tell us they need to know about the GDPR, and our own analysis of the key differences between GDPR and the DPA.
We previously set out the three phases we intended for our implementation work:
Phase 1: Familiarisation and key building blocks
Phase 2: Guidance structure and mapping, process review and initial development of associated tools
Phase 3: Bulk guidance refresh/production and review
We consider that we are now moving from Phase 1 to Phase 2; we indicated previously that these would overlap.
What we have done so far:
- We have produced a document on Preparing for the GDPR: 12 steps to take now, to give organisations a list of the key issues they need to be addressing in their preparations. This has been well received, both in the UK and abroad.
- We have published an Overview of the GDPR. We explain our future plans for this below.
- We have referred to relevant GDPR provisions in our revised Privacy notices code of practice.
- We have published our draft consent guidance for public consultation. The deadline for responses has now passed. We will analyse the feedback received and feed this into the final version which is due for publication in the summer.
- We have published our profiling discussion paper for feedback. The deadline for responses has now passed. We will analyse the feedback received and will publish a summary of responses in due course. This feedback will inform our input into the drafting of the EU guidance on profiling and automated decision-making.
- We have been identifying what guidance is needed as a priority, and assessing where we can adapt our existing DPA guidance and where we need to create new content.
- We have published version 2 of our paper on big data. While this is not a guidance document on the GDPR, it does discuss GDPR provisions that are relevant to big data and machine learning.
We will continue to work on three main areas:
- European level guidance in the form of Article 29 Working Party (WP29) guidelines
- ICO guidance
- Other policy work
We will develop each strand in the following ways:
European level guidance
The WP29, with its various sub-groups, includes representatives of the data protection authorities from each EU member state. They have an annual work programme which covers the guidelines they are producing on key aspects of the GDPR. As the UK’s representative, the ICO continues to participate fully in this work, taking on responsibilities as rapporteur (lead) for some of the guidelines and chairing the technology sub-group.
We will continue to contribute to producing WP29 guidelines and when they are published we will link to them from the Overview. We will not duplicate the work of the WP29, but we will incorporate the key points in the Overview. Where it is appropriate we will publish our own additional advice to explain anything that is particularly relevant to the UK.
The WP29 has now adopted guidelines, with FAQs, on the following GDPR topics:
- Data portability
- Data protection officers
- Identifying a controller or processor’s lead supervisory authority
These are available on the WP29 website, and we have linked to them from the relevant sections of the Overview. WP29 invited comments on these documents and is considering the responses received.
The WP29 has finalised its work plan for 2017 and we have contributed to the discussion on this. WP29 intends to produce guidance documents on:
- Administrative fines
- High risk processing and Data Protection Impact Assessments
- Notification of personal data breaches
- Tools for international transfers
We will link to these documents from the Overview when they are published.
Over time we will develop the Overview of the GDPR into our Guide to the GDPR, which will be the core of our guidance. As we develop the Overview we will treat it as a living document, expanding the text as necessary to cover particular points as they develop. The Overview currently follows the structure of the GDPR; we will add further sections to cover cross cutting issues as necessary eg data sharing or profiling.
Where we decide it is appropriate to go ahead and develop ICO guidance on issues not currently being considered by the WP29 we will incorporate it into the Overview. This guidance may take some content from existing DPA guidance, where it is still relevant. In the event that the WP29 decide to consider a topic we have already worked on we will be in a position to provide input based on the products we have already developed, whether that is guidance or background policy thinking as mentioned below.
In addition to our draft consent guidance, we are aiming to publish guidance on contracts and liability early in 2017.
We will indicate in the Overview where we know that specific guidance is forthcoming, either from ourselves or from WP29, and then link to that guidance when it is published. The Overview also has a ‘What’s new’ section at the beginning to highlight new content.
Other policy work
We have recently been assessing the GDPR provisions on the following cross-cutting areas
We have also started to consider the GDPR provisions specific to children’s personal data. We’re also consulting with relevant stakeholders about international transfers.
We are currently considering what we will publish as a result of this work, whether as guidance or as discussion papers. We aim to provide some outputs in the first half of 2017.