Background

The UK’s supervisory authority, the Information Commissioner’s Office (hereinafter, “ICO”), has recently published a Guide to the General Data Protection Regulation (hereinafter, the “Guide”). The Guide is addressed to those who have day-to-day responsibility for data protection and aims to explain the provisions of EU Regulation 2016/679 (hereinafter, “GDPR”), in order to concretely help organisations to comply with its requirements.

The Guide includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s Article 29 Working Party.

Main issues

The Guide is divided into several sections, which can be summarized as follows.

Since the Guide is conceived as a living document, this section will be dedicated to an overview of the latest news concerning GDPR and will be updated on a monthly basis by the ICO.

These sections specify the field of application of the GDPR and the definitions of personal and sensitive data, clarifying the provisions of Article 5, 6 and 9(2) of the GDPR.

This section offers some clarifications about the importance of the collection of an appropriate consent and its management, including three small checklists dedicated to the activities of asking, recording and the management of consent.

ICO dedicates a section to the explanation of the different rights of the data subjects provided by the GDPR (right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights related to automated decision making including profiling).

The Guide includes a section dedicated to the provisions that promote accountability and governance of data controllers and processors, which contains a list of actions recommended to demonstrate compliance.

The section at stake is dedicated to the data processing agreements between data controllers and data processors and includes two checklists containing some compulsory details and terms, as well as processors’ responsibilities, which should be inserted in the agreement.

This section offers some clarifications about the obligation to maintain internal records of processing activities.

This section briefly describes the principles of data protection by design and by default and refers to the ICO’s guidance on privacy by design.

The Guide specifies what a Data Protection Impact assessment is, when it is needed and what information it should contain.

In this section the ICO clarifies when a DPO should be appointed, which are its tasks and qualifications, where the role of DPO could be allocated and the possible duties of employers.

This section is dedicated to Codes of conduct and certification with a special focus on their practical implications.

In this section the ICO refers to its previously produced guidance as a good starting point for organisations, which assist them in securing the personal data they hold.

The Guide contains an overview of the principles concerning the data transfers, with a special focus on what could be considered as appropriate safeguards.

This section refers to the Article 29 Working Party’s recent guidelines on Personal data breach notification and specifies what a personal data breach is and when its notification to the supervisory authority and communication to data subjects are mandatory.

The ICO dedicates a section to the derogations to the provision of the GDPR permitted by the GDPR itself.

This last section is dedicated to provisions concerning the protection of children’s personal data, with a special focus on the requirements needed in case of offering online services to children.

Practical implications

The Guide can be used by those who have day-to-day responsibilities with respect to data protection in order to increase their compliance, obtain clarifications on how to interpret provisions of the GDPR and to get a monthly update on the latest news concerning the GDPR.