The mornings are getting lighter and reasons to be cheerful increase, including even in the world of data protection. “Steady on” I hear some say but a few headaches may subside at least with the news that the ICO has recently enhanced its guide to the GDPR. In doing so, it has shone some much needed light on a number of previously murky areas of the Regulation. These include:
- More detailed explanation of the ICO’s expectations in relation to the documentation of processing activities (under Article 30).
- Further clarity on what is expected in the event of a personal data breach (under Articles 33 and 34).
- New guidance on what constitutes lawful processing, in particular in relation to performance of a contract with the data subject (Article 6(1)(b)), compliance with a legal obligation (Article 6(1)(c)), protection of vital interests (Article 6(1)(d)) and performance of a task carried out in the public interest (Article 6(1)(e)).
For more information on these developments, see Practical Law Data Protection’s recent legal update.
New GDPR content on Practical Law
Following up on recent additions to its GDPR content suite (see recent blog posts Six months to go and Four months to go), Practical Law In-house has added a number of key new resources in the past two weeks, to further illuminate the road ahead for the in-house lawyer:
- Standard document, Response procedures for data subject requests under GDPR is an internal facing document setting out the procedures required when responding to requests to data subjects in respect of the rights that data subjects have under the GDPR.
- Practice note, Maintaining a transparent and constructive relationship with the Information Commissioner’s Office (ICO) explains how businesses can develop a constructive relationship with the ICO in light of the changes to be introduced by the GDPR.
- GDPR milestones and project plan sets out milestones and a project plan for an organisation’s implementation of the GDPR.
- GDPR compliance checklist outlines key steps for different functions within a business to take when preparing for the GDPR.
We have also updated these resources in readiness for the GDPR:
- Standard document, Data protection memorandum to board of directors of international company (GDPR version) .
- Practice note, Ensuring data protection compliance (GDPR version).
For those seeking more blue sky and some in-depth discussion of the long term implications for using data in the new GDPR landscape, see the recent blog post by Miriam Everett and Claire Wiseman of Herbert Smith Freehills: Securing the “new oil”: seizing the opportunities in an age of increasing data regulation and the more in-depth PLC Magazine article, Data use: protecting a critical resource.
We are continuing to work on updating existing content and creating new resources – with new resources in relation to data security and data protection officers imminent – and will keep you updated via the weekly in-house email and this blog. You can keep track of the GDPR content pipeline across Practical Law at EU General Data Protection Regulation: Practical Law coverage.