The Article 29 Working Party (WP29) has published European-wide guidelines on profiling and breach reporting in preparation for the General Data Protection Regulations (GDPR). WP29 guidelines on administrative fines are also to follow soon.
The ICO, as the UK member of WP29, led and assisted in developing the final guidelines on certain key aspects of GDPR (which included feedback received on the ICO discussion paper on profiling and automated decision-making).
The ICO has also been involved in discussions on guidelines for consent and transparency and has used consultation responses from their draft guidance on consent to help form these WP29 discussions in Europe.
In addition to their work at European level, the ICO is also continuing to look at guidance on:
- Other lawful bases for processing, including legitimate interest
- Accountability and documentation
- Contracts between data controllers and processors
- GDPR – to expand the content of their current overview
In its first annual review of the EU-US Privacy Shield agreement, the European Commission has proposed tougher rules to tackle non-compliance and has recommended closer cooperation between US and EU authorities.
The aim of the EU-US Privacy Shield agreement, launched in August 2016, was to ensure EU citizens' personal data retains equivalent levels of privacy when transferred to the US, which has an alternative approach to privacy laws than the impending GDPR. The previous data sharing arrangement, Safe Harbour, was struck out by the European Court of Justice in 2015, on the basis it was deemed an inadequate regime to protect the data of EU citizens (in particular in relation to mass surveillance).
For the Privacy Shield to function effectively in the coming years, the report has put forward a number of recommendations for the US Department of Commerce. These include a more proactive and regular monitoring of companies and their compliance and more forcefulness in pursuing companies that are dishonest in their claims to be signed up to the agreement.
The review has also advocated closer cooperation between the EU data protection authorities, the Federal Trade Commission and the Department of Commerce, by creating joint guidance for companies.
The ICO is to launch a dedicated telephone service on 1 November 2017 to help small businesses prepare for the GDPR. This new service will be based around the ICO's existing public helpline.
It is understood that small businesses are much further behind than their larger counterparts in preparing for the upcoming changes to data protection law, despite many admitting that the new penalties could put them at risk of insolvency.
The ICO also has plans to publish a more targeted version of their "12 steps to take now" graphic to help small and micro businesses in their preparations, as well as revising its simple-to-use SME toolkit into a GDPR checklist.