Update on the latest GDPR guidance – where are we now?

Abstract Technology background.Security concept with padlock icon Print publication


The Information Commissioner’s Office (ICO)

The ICO, the UK’s data protection regulator, continues to update and expand its comprehensive Guide to the GDPR. Each section contains a helpful checklist of points for organisations to work through to ensure compliance. The ICO has also published a range of other resources, including a self-assessment toolkit, a series of ‘myth-busting’ blogs, and information for different sectors such as: education; health; local government; marketing; and finance, insurance and credit.

The ICO has published standalone guidance on a number of aspects of GDPR. In other cases, it has simply updated or expanded the relevant section of the Guide. To date, the ICO has produced the following standalone guidance, which is referred to in the Guide:

  • Detailed guidance on legitimate interests, one of the six available lawful bases for processing personal data under GDPR.
  • Detailed guidance on documentation, a key feature of the principle of accountability under GDPR.
  • Guide to the data protection fee. We considered this in a separate briefing. Parliament has now approved the new funding model.
  • Draft guidance on Data Protection Impact Assessments (DPIAs) for consultation (the short consultation closed on 13 April 2018). DPIAs are a legal requirement under GDPR for processing that is likely to be high risk, but the ICO notes that an effective DPIA can also bring broader compliance, financial and reputational benefits.
  • Draft guidance on children and the GDPR for consultation (the consultation closed on 28 February 2018). Children’s data is given particular protection under GDPR.
  • Draft guidance on contracts and liabilities for controllers and processors for consultation (this was issued in September 2017 – a final version is awaited). Under GDPR, whenever a controller uses a processor (or a processor employs another processor), there needs to be a formal written contract in place between them. GDPR specifies what terms must be included in the contract, as a minimum requirement. While data controllers bear ultimate responsibility for ensuring that the processing of personal data is GDPR-compliant, data processors need to be aware that GDPR also imposes direct obligations on them. Organisations should review all existing contracts which involve any processing or sharing of personal data to ensure that they meet GDPR requirements.
  • Draft consent guidance for consultation (this was issued in March 2017- final guidance is expected shortly now that we have European-level guidance on this subject). GDPR sets a high standard for consent, which is one of the six available lawful bases for processing personal data under GDPR. The ICO notes that consent “is not inherently better or more important than these alternatives. If consent is difficult, you should consider using an alternative”.
  • A lawful basis interactive guidance tool, to help organisations assess which lawful basis is likely to be most appropriate for their processing activities.

Further guidance is awaited on the following topics:

  • More detailed guidance on the ‘public task’ lawful basis.
  • More detailed guidance on the right to be informed, one of the individual rights under GDPR and a key transparency requirement.
  • More detailed practical guidance on rights related to automated decision-making including profiling.
  • Updated guidance on ‘privacy by design’. GDPR introduces a new concept of privacy by design and default which is intended to ensure that data protection is embedded within organisations and that privacy issues are taken into account as a matter of course. The new rules require organisations to implement privacy both by design (so that data protection safeguards are built into all processing activities) and by default (to ensure that the minimum amount of data is processed). Using DPIAs will help organisations to implement privacy by design and by default.
  • Guidance on applying GDPR requirements in different contexts, including in areas such as CCTV and big data.

European-level guidance

The Article 29 Working Party or WP29 (an advisory body comprising representatives from the EU data protection authorities, the European Data Protection Supervisor and the European Commission) has produced the following European-level guidance on a range of aspects of GDPR:

  • Guidelines on the right to data portability, one of the individual rights under GDPR.
  • Guidelines for identifying a controller or processor’s lead supervisory authority, an important consideration in relation to personal data breach notifications and breach response planning.
  • Guidelines on data protection officers (DPOs). The appointment of a DPO will be mandatory for public authorities/bodies as well as for data controllers or processors whose core activities comprise either: processing which requires regular and systematic monitoring of data subjects on a large scale; or large-scale processing of special categories of data or personal data relating to criminal convictions and offences.

We considered each of the above topics in an earlier briefing.

  • Guidelines on DPIAs and determining whether processing is “likely to result in a high risk”.
  • Guidelines on imposing administrative fines. GDPR introduces increased enforcement powers – fines of up to 2% of annual global turnover or €10 million (whichever is the greater) or fines of up to 4% of annual global turnover or €20 million (whichever is the greater), depending on the type of infringement.
  • Guidelines on personal data breach notification.
  • Guidelines on automated individual decision-making and profiling.
  • Guidelines on transparency. The WP29 describes transparency as an “overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights”.
  • Guidelines on consent.
  • Proposed guidelines for the application of Article 49 of GDPR, which concerns derogations from the prohibition on transfers of personal data outside of the EU (the consultation closed on 26 March 2018).
  • Proposed guidelines on the accreditation of certification bodies under GDPR (the consultation closed on 30 March 2018). Certification mechanisms are one of the voluntary measures to facilitate compliance with GDPR.
  • Updates to the WP29’s working documents on adequacy and on binding corporate rules (BCRs) for controllers and for processors, plus other recent documents in relation to BCRs. BCRs are one of the legal mechanisms for transferring personal data outside of the European Economic Area between companies forming part of a multinational group.

All of these documents can be found on the WP29 website under the ‘Guidelines’ and ‘Letters, other documents’ tabs.

A new, independent, European Data Protection Board will replace the WP29 when GDPR comes into force.