Now the EU General Data Protection Regulation is agreed and we have an “enforced from” date of 25 May 2018, one of the key remaining questions is “when will there be more guidance from regulators?”

The ICO, the regulator in the UK, have today provided an update on their website setting out a three-phase approach to guidance development, focusing on the following areas:

Phase 1: familiarisation and key building blocks – with guidance set to include in the next 6 months:

  • from the ICO: an overview of the GDPR; individuals’ rights; contracts; consents and an update to the privacy notices code of practice; and
  • from Europe (the Article 29 Working Party): identifying which regulator applies; data portability; data protection officers; privacy impact assessments for higher risk processing and certification requirements.

Phase 2 then looks at mapping the ICO’s existing guidance to the new structure of the GDPR.

Phase 3 then provides that updated guidance along with links out to European guidance or ICO-written guidance on the European guidance where appropriate.

The ICO have so far published their 12 steps guidance to prepare for the GDPR but there is much more to do.

There are interesting times ahead as the concepts set out in the GDPR are developed through this guidance. The ICO also state that their guidance will be updated to take account of interpretation of the GDPR and case law as it develops past 2018.

View our analysis of the GDPR and our other useful tools at