“We need to await further guidance on …” is the phrase on everyone’s lips in meeting rooms across the UK. The final General Data Protection Regulation text has been officially published, in multiple languages, and will be implemented on 25th May 2018. But, there are many unanswered questions and uncertainty surrounding compliance with the new Regulation.
Is opt-out still okay? How clear and granular do consent mechanisms need to be? How will automated profiling be interpreted and what will Data Subjects need to be told? What are the risky circumstances in which a Data Privacy Impact Assessment must be carried out? How will the overlap of responsibility between data controllers and data processors work in practice? Does GDPR affect PECR? The list goes on.
The ICO had been expected to provide an overall document outlining guidance on all areas, but we know now that the Regulator plans to provide guidance in stages over the next two years. Each piece will address a specific topic.
Initially, the ICO has identified five key priorities; an overview of GDPR, individual’s rights, contracts, consent and the Privacy Notices Code of Practice. Guidance on these will be published or at least drafting will start over the next 6 months. Furthermore, the ICO is working with its counterparts in other member states, through the Article 29 Working Party (which will become the European Data Protection Board under GDPR), to ensure a consistent approach. The ICO says European guidance can be expected on the following topics by the end of 2016:
- Identifying an organisation’s main establishment and lead supervisory authority
- Data Portability
- Data Protection Officers
- Risky processing and Data Protection Impact Assessments
Organisations are being advised not to sit back and wait for guidance. Doing nothing is not an option and right now businesses should be increasing awareness, reviewing their data, who they share it with and how they obtain and record consent. They should also be addressing issues such as having a Data Breach Procedure and how to practically deal with the right to erasure.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.