On November 21, 2016, against the backdrop of the EU General Data Protection Regulation (“GDPR”) and Brexit, UK Information Commissioner Elizabeth Denham delivered a keynote speech at the Annual Conference of the National Association of Data Protection and Freedom of Information Officers. During the address, Denham discussed the UK ICO’s ongoing preparations for the GDPR, reiterating the government’s position that the GDPR will be implemented in the UK.
Denham confirmed that the first regulatory guidance on priority areas of the GDPR will be published by the Article 29 Working Party (the “Working Party”) before the end of 2016. This guidance will address a number of key aspects of the GDPR, including the role of the Data Protection Officer, the new right to data portability and how to identify an organization’s main establishment and lead supervisory authority. Furthermore, Denham confirmed that the Working Party is also developing guidance for publication in February 2017 regarding the concept of risk under the GDPR and carrying out Data Privacy Impact Assessments. The Working Party is also working on guidance regarding certifications under the GDPR, but Denham provided no further detail or timeframe for publication of that guidance. Beyond regulatory initiatives at the EU level, Denham also confirmed that the UK ICO is currently working on a revised version of its guidance on Big Data, which is expected to be published by the end of 2016, as well as guidance on consent and profiling, which is expected to be completed by the end of January 2017.