GDPR guidance: What do we have so far? – UPDATED!
There are 7 months to go until we need to comply with the EU General Data Protection Regulation (GDPR), and we also have the new UK Data Protection Bill. We have been eagerly awaiting official guidance on the requirements. So what do we have so far and what is expected soon?
UK Information Commissioner’s Office
Current guidance:
Expected soon (2017/2018):
- Final version of the guidance on consent
- Guidance on other legal bases for processing, including legitimate interests
- Guidance on children’s personal data
- Guidance on accountability, including documentation
- Guide to the GDPR (to replace the overview referred to above)
ICO guidance on international data transfers seems to have been removed from the listed plans, though the ICO has indicated that it is contributing to EU-level guidelines on this topic (see below).
EU Article 29 Working Party
Current guidance:
- Guidelines on the right to data portability (WP242 adopted on 13 December 2016 and revised on 5 April 2017)
- Guidelines on data protection officers (WP 243 adopted on 13 December 2016 and revised on 5 April 2017)
- Guidelines for identifying a controller or processor’s lead supervisory authority (WP 244 adopted on 13 December 2016 and revised on 5 April 2017
- Guidelines on data protection impact assessment and determining whether processing is "likely to result in a high risk" (WP 248 adopted on 4 April 2017 and revised on 4 October 2017)
- Guidelines on personal data breach notification (WP 250 adopted on 3 October 2017 and open for comments until 28 November 2017)
- Guidelines on automated individual decision-making and profiling (WP 251 adopted on 3 October 2017 and open for comments until 28 November 2017)
- Opinion on data processing at work (including GDPR guidance) (Opinion 2/2017 adopted on 8 June 2017)
Expected soon (2017/2018):
- New guidance on certification, administrative fines, consent, profiling and transparency
- Updates to existing guidance on data transfers to third countries and data breach notifications
- Also working on setting up the European Data Protection Board structure in terms of administration, and preparing the one stop shop and consistency mechanism (which seeks to ensure the GDPR is applied and enforced consistently across the EU)
Olivia Whitcroft, principal of OBEP, 18 October 2017
This article provides general information on the subject
matter and is not intended to be relied upon as legal advice. If you
would like to discuss this topic, please contact Olivia Whitcroft using
the contact details set out here: Contact
Details