tashka2000 - Fotolia

ICO sets out plans to issue GDPR guidance

Information Commissioner’s Office encourages business to review guidance on the General Data Protection Regulation as it is published to identify what areas need to be addressed in 2017

The Information Commissioner’s Office (ICO) has set out its plans for publishing guidance on the EU General Data Protection Regulation (GDPR).

UK organisations will be required to comply with the GDPR from 25 May 2018 and indications are that the new UK data protection legislation that will apply after the UK leaves the EU will align with the GDPR.

Jo Pedder, interim head of policy delivery, described the guidance on what organisations could expect as “essential reading” because it would help to plan what areas needed to be addressed in 2017.

“The update explains the work we will be contributing in the coming year as part of the Article 29 Working Party, as well as the guidance and policy development we have opted to prioritise ourselves,” she wrote in a blog post.

Pedder said the Article 29 Working Party – the body that currently brings together the data protection authorities across Europe – was leading the way in developing guidelines on some of the key aspects of the law.

“As the UK member of the Article 29 Working Party, we are inputting into this process and taking a lead role on a number of priority guidelines aimed at organisations,” she said.

Pedder highlighted the work the ICO was doing to develop an overview of the GDPR as a living document that would be updated continually with guidance by the ICO and the working party.

The latest guidelines published by the Article 29 Working Party are open to comment until the end of January 2017. They have been added to the ICO’s GDPR Overview and cover data portability, lead supervisory authorities and data protection officers.

“We have added links to the guidelines into the overview and we are considering what, if any, key messages we need to draw out and explain in more detail,” said Pedder.

The ICO previously indicated that its GDPR guidance would be issued in three phases, with the first covering familiarisation and key building blocks, the second covering guidance structure and mapping, including process review and initial development of associated tools, and the third being a review.

The ICO is now moving into the second phase, which will overlap with the conclusion of phase one.

Read more about GDPR

So far, the ICO has produced a document, Preparing for the GDPR: 12 steps to take now to give organisations a list of the key issues they need to address in their preparations.

The ICO has also published the first version of its Overview of the GDPR, referred to relevant GDPR provisions in its revised Privacy notices code of practice, and has been identifying what guidance is needed as a priority.

The ICO said it would continue to work on three main areas: European-level guidance in the form of Article 29 Working Party (WP29) guidelines, ICO guidance and other policy work.

As the UK’s WP29 representative, the ICO said it would continue to contribute to producing WP29 guidelines and include them in the GDPR Overview.

In 2017, the WP29 intends to produce guidance documents on key GDPR topics, including administrative fines, profiling, consent, transparency, notification of personal data breaches, and tools for international data transfers.

The ICO said it would develop its own guidance on issues not currently being considered by the WP29.

In 2017, the ICO plans to publish guidance on contracts and liability, and consent.

In other policy work, the ICO said it had been assessing the GDPR provisions on profiling and risk.

It said it had also started to consider the GDPR provisions specific to children’s personal data, and was consulting relevant stakeholders about international data transfers.

In February 2017, the ICO plans to publish the second version of its paper on big data. “While this is not a guidance document on the GDPR, it does discuss GDPR provisions that are relevant to big data and machine learning,” it said.

Read more on Privacy and data protection