GDPR guidance: What do we have so far? – UPDATED!

There are 7 months to go until we need to comply with the EU General Data Protection Regulation (GDPR), and we also have the new UK Data Protection Bill. We have been eagerly awaiting official guidance on the requirements. So what do we have so far and what is expected soon?

UK Information Commissioner’s Office

Current guidance:

• An overview of the GDPR
• Privacy notices code of practice which has a section on the GDPR
• Draft guidance on consent under the GDPR. This was open for public consultation until 31 March 2017, but the final guidance is not now expected until early 2018, to take account of the (expected) Article 29 Working Party Guidelines on consent
• ICO’s thoughts on profiling and automated decision-making which formed part of a feedback request open for consultation until 28 April 2017, to inform the Article 29 Working Party Guidelines on profiling (now published – see below)
• Draft guidance on GDPR contracts and liabilities between controllers and processors which was open for public consultation until 10 October 2017
• Updated "12 steps to take now"
• "Getting ready for the GDPR" checklist for SMEs
• Guidance on the Data Protection Bill with links to Government factsheets

Expected soon (2017/2018):

• Final version of the guidance on consent
• Guidance on other legal bases for processing, including legitimate interests
• Guidance on children’s personal data
• Guidance on accountability, including documentation
• Guide to the GDPR (to replace the overview referred to above)

ICO guidance on international data transfers seems to have been removed from the listed plans, though the ICO has indicated that it is contributing to EU-level guidelines on this topic (see below).

EU Article 29 Working Party

Current guidance:

• Guidelines on the right to data portability (WP242 adopted on 13 December 2016 and revised on 5 April 2017)
• Guidelines on data protection officers (WP 243 adopted on 13 December 2016 and revised on 5 April 2017)
• Guidelines for identifying a controller or processor’s lead supervisory authority (WP 244 adopted on 13 December 2016 and revised on 5 April 2017
• Guidelines on data protection impact assessment and determining whether processing is "likely to result in a high risk" (WP 248 adopted on 4 April 2017 and revised on 4 October 2017)
• Guidelines on personal data breach notification (WP 250 adopted on 3 October 2017 and open for comments until 28 November 2017)
• Guidelines on automated individual decision-making and profiling (WP 251 adopted on 3 October 2017 and open for comments until 28 November 2017)
• Opinion on data processing at work (including GDPR guidance) (Opinion 2/2017 adopted on 8 June 2017)

Expected soon (2017/2018):

• New guidance on certification, administrative fines, consent, profiling and transparency
• Updates to existing guidance on data transfers to third countries and data breach notifications
• Also working on setting up the European Data Protection Board structure in terms of administration, and preparing the one stop shop and consistency mechanism (which seeks to ensure the GDPR is applied and enforced consistently across the EU)

Olivia Whitcroft, principal of OBEP, 18 October 2017

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details