Following last month's publication of the final text of the General Data Protection Regulation (GDPR), the Information Commissioner's Office (ICO) recently set out its plans for issuing updated guidance to organisations under the GDPR.

Phase 1 - priority actions

The first phase of the ICO's programme, covering the next six months, focusses on ensuring that organisations are familiar with the key changes being introduced by the GDPR and have the building blocks in place to develop their compliance strategies.

Outputs will include:

  • An overview of the GDPR
  • Guidance on individual rights
  • Contracts
  • Consent
  • the updated Privacy notices code of practice

The ICO will also be contributing to EU wide guidance on the following areas, which the Article 29 Working Party has identified as priority areas:

  • Identifying an organisation's main establishment and lead supervisory authority
  • Data portability
  • Data protection officers
  • Risky processing and data protection impact assessments (AKA privacy impact assessments)
  • Certification

The ISO will also carry out preparatory consultation and stakeholder workshops on a number of other key areas, including profiling, the new record keeping obligations, the relationship between data controllers and data processors and international transfers.

Phases 2 - identifying areas for review/developing toolkits

As part of phase 2 the ICO will review and map its current guidance against the GDPR and prioritise key areas for action. Concerningly, the ICO makes clear that some of the refreshed content may not be available prior to the GDPR coming into force in May 2018.

Phase 2 will also involve the development of tools and resources, with a particular focus on SMEs, who are unlikely to have internal expertise or be in a position to engage external support. The timescales for these toolkits being made available are not yet clear.

Phase 3 - bulk guidance refresh/production

The final phase will implement the actions identified during phase 2. Where possible, the ICO will seek to adapt its existing guidance under the Data Protection Act, with a view to ensuring some familiarity with the existing regime. The ICO will also signpost relevant European level guidance (developed by the WP29) and "translate" it into ICO guidance as and where necessary. It is here that data controllers are likely to see the biggest changes in approach as the GDPR's consistency mechanism comes into play.

Will the GDPR lead to a change in the ICO's approach to regulation?

The ICO has acknowledged that the consistency mechanism under the GDPR is likely to require it to change its current business friendly approach to guidance and enforcement. At a recent conference, Ian Bourne, the ICO's DP Policy Delivery Group Manager, said:

The ICO's traditional ability to be flexible and business savvy will be under much more scrutiny from other DPAs and the European Data Protection Board (EDPB) as well as the European Commission. So we will have some challenging times internationally.

That said, there are around 40 areas where member states can exercise national discretion (for example, the age at which the rules on digital consent apply). In those areas, the ICO expects the UK Government to adopt an approach to implementation that is similar to that which applies currently.


Martin Sloan