Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

ICO releases 12 step guide on the GDPR

By Nick Graham
March 16, 2016
  • Europe
  • New and Proposed Laws
Share on Facebook Share on Twitter Share via email Share on LinkedIn

On Monday this week the UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR.  The guide was launched as part of the ICO’s annual Data Protection Practitioners’ Conference, in Manchester.  The ICO also launched a new microsite on the GDPR (see below).

In its accompanying press release, the ICO emphasised that its role is “not just about enforcement and fines” and that the guide would help the ICO to do its work in “guiding organisations who want to make sure they’re following the new rules, and getting it right from the start”. This tallies with the message of the ICO at the conference – it is here to help organisations, but that there are steps that can be taken now to start preparing for the implementation of the GDPR.

Here is a summary::

  • Ensure there is awareness amongst key stakeholders in the organisation that the GDPR represents a major overhaul of data protection law in Europe and ensure they identify the areas of the GDPR that have the biggest impact on them.
  • document the personal data that they hold, where it came from and with whom they share it. The ICO suggests that this can be done through an information audit – this will be necessary to match the updated subject rights for the “networked world”.
  • review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • check existing procedures to ensure that they cover all the rights data subjects now have under the GDPR – both the enhanced rights and the additional right of data portability.
  • look at the various types of data processing they carry out, identify a legal basis under the GDPR for carrying it out and document it.
  • ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. This may also help a controller to rely on the “manifestly unfounded or excessive” exemption for subject access requests, help to readily produce the upgraded form of privacy notice or help to determine the lead supervisory authority.

Interestingly, many of these recommendations will already be in place for those with BCRs or who have done data audits following the recent Safe Harbor and Privacy Shield developments.  Clearly, now is the time to get your ‘data privacy’ house in order.

We think that the 12 step guide is a useful starting point for all businesses, especially those small-to medium-sized enterprises who may be intimidated by the (over 200-page) GDPR – it helps puts theory into practice and could hint at the ICO’s enforcement focus going forward.

We expect that it will be the first in a set of practical guidance issued by the ICO ahead of the GDPR. Indeed, the ICO has anticipated, in its accompanying blog entry, that over the next few months, it will “…be doing more work to consider the feedback we’ve received and produce a more detailed plan for the guidance, other tools and services we need to develop”. In this way, the ICO seems to be taking a phased and business-friendly approach to the GDPR.

The ICO has also launched a new microsite dpreform.org.uk – this will be the home for the ICO’s GDPR guidance; a key addition to your “favourites” bar.

It has also invited further feedback about the areas in which advice and guidance is most needed – so get in touch if you have any strong views. Watch this space as we see what else the ICO (and other European regulators) will produce on the GDPR…

 

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

All posts Full bio

RELATED POSTS

  • Data Breach
  • Enforcement
  • Government Information
  • Health Information Privacy
  • New and Proposed Laws
  • Privacy Rights
  • United States

White House Issues Presidential Directive Coordinating Government Response To “Cyber Incidents”

By Peter Stockburger
  • Data Transfers
  • Europe
  • New and Proposed Laws

Data Protection Regulation: back on track?

  The Council of the EU has been busy discussing the draft Regulation this week.  There is a press release and […]

By Nick Graham
  • Canada
  • Data Breach
  • Enforcement
  • New and Proposed Laws

Mark your calendars: Mandatory data-breach notification rules come into force November 1

By Privacy and Cybersecurity Group

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site