Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

ICO releases 12 step guide on the GDPR

By Nick Graham and Tanvi Mehta
March 16, 2016
  • Europe
  • New and Proposed Laws
Share on Facebook Share on Twitter Share via email Share on LinkedIn

On Monday this week the UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR.  The guide was launched as part of the ICO’s annual Data Protection Practitioners’ Conference, in Manchester.  The ICO also launched a new microsite on the GDPR (see below).

In its accompanying press release, the ICO emphasised that its role is “not just about enforcement and fines” and that the guide would help the ICO to do its work in “guiding organisations who want to make sure they’re following the new rules, and getting it right from the start”. This tallies with the message of the ICO at the conference – it is here to help organisations, but that there are steps that can be taken now to start preparing for the implementation of the GDPR.

Here is a summary::

  • Ensure there is awareness amongst key stakeholders in the organisation that the GDPR represents a major overhaul of data protection law in Europe and ensure they identify the areas of the GDPR that have the biggest impact on them.
  • document the personal data that they hold, where it came from and with whom they share it. The ICO suggests that this can be done through an information audit – this will be necessary to match the updated subject rights for the “networked world”.
  • review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • check existing procedures to ensure that they cover all the rights data subjects now have under the GDPR – both the enhanced rights and the additional right of data portability.
  • look at the various types of data processing they carry out, identify a legal basis under the GDPR for carrying it out and document it.
  • ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. This may also help a controller to rely on the “manifestly unfounded or excessive” exemption for subject access requests, help to readily produce the upgraded form of privacy notice or help to determine the lead supervisory authority.

Interestingly, many of these recommendations will already be in place for those with BCRs or who have done data audits following the recent Safe Harbor and Privacy Shield developments.  Clearly, now is the time to get your ‘data privacy’ house in order.

We think that the 12 step guide is a useful starting point for all businesses, especially those small-to medium-sized enterprises who may be intimidated by the (over 200-page) GDPR – it helps puts theory into practice and could hint at the ICO’s enforcement focus going forward.

We expect that it will be the first in a set of practical guidance issued by the ICO ahead of the GDPR. Indeed, the ICO has anticipated, in its accompanying blog entry, that over the next few months, it will “…be doing more work to consider the feedback we’ve received and produce a more detailed plan for the guidance, other tools and services we need to develop”. In this way, the ICO seems to be taking a phased and business-friendly approach to the GDPR.

The ICO has also launched a new microsite dpreform.org.uk – this will be the home for the ICO’s GDPR guidance; a key addition to your “favourites” bar.

It has also invited further feedback about the areas in which advice and guidance is most needed – so get in touch if you have any strong views. Watch this space as we see what else the ICO (and other European regulators) will produce on the GDPR…

 

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

All posts Full bio

Tanvi Mehta

About Tanvi Mehta

Tanvi has advised government bodies, corporates (including technology suppliers as well as customers) and financial institutions on a wide range of information technology, data protection and telecoms regulatory matters. Her experience includes telecoms and IT services outsourcings, major telecoms corporate deals, data protection audits and advice, contract law and consumer protection (in so far as that relates to e-commerce and IT contracts).

All posts Full bio

RELATED POSTS

  • Europe

Europe under Review: Part 3 of 8 – Accuracy and Proportionality

As the next in our series of “back to privacy basics”, we look at the rules regarding accuracy and proportionality […]

By Tristan Jonckheer
  • Data Transfers
  • Europe
  • New and Proposed Laws
  • Privacy Rights

Data processors under the GDPR

By Marc Elshof
  • Europe
  • Privacy Rights
  • United Kingdom

Safe Harbor Decision today!

By Nick Graham

About Dentons

Dentons is the world’s largest law firm, delivering quality and value to clients around the globe. Dentons is a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ polycentric approach and world-class talent challenge the status quo to advance client interests in the communities in which we live and work. www.dentons.com.

Dentons Digital

Twitter

Categories

  • Accountability
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2021 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site