Thoroughly knowledgeable,
very pragmatic and

Chambers Guide


Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.

Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.

Preparing for the GDPR: ICO publishes guidance roadmap

The UK’s data protection regulator, the Information Commissioner’s Office, sets out a timetable for providing guidance on the GDPR before implementation.

Whilst the General Data Protection Regulation (GDPR) is not due to come into effect until 25 May 2018, there is a lot going on behind the scenes to ensure that governments and businesses alike are up to speed ahead of this deadline. With this in mind, and in conjunction with the Article 29 Working Party’s Work Programme, the ICO has launched some new guidance on the roadmap to help businesses get ready.

The ICO has identified 3 phases to its approach as follows:

Phase 1: familiarisation

This first stage is anticipated to occur over the next 6 months and will focus on helping businesses get to grips with the new legislation before it comes into effect. The ICO hopes to achieve this by:

  • producing further ICO guidance on a dedicated data protection reform website which will build on the 12 Step Document published earlier this year. The guidance will include an overview of the GDPR, individual’s rights, contracts, consents and privacy notices codes of practice;
  • contributing to EU guidelines on identifying an organisation’s main establishment and lead supervisory authority, data portability, data protection officers, high risk processing, data protection impact assessments and certification which the Article 29 Working Party is expected to publish before the end of this year; and
  • developing its thinking on areas such as risks and significant/legal effects, profiling, children’s privacy, documentation/records of processing activity, data controllers and processors and international transfers to ensure that there is continuing guidance on the GDPR at a national and EU wide level.

Phase 2: planning

As a follow on and complement to Phase 1, the aims of Phase 2 (which is estimated to overlap with Phase 1) are to begin to develop frameworks for the various guides that the ICO will be producing to assist businesses with their new compliance obligations. As part of this, the ICO will be:

  • developing an EU data protection regulation guidance structure;
  • considering the existing guidance framework in light of the new guidance structure and deciding whether to refresh existing guidance or create new guidance;
  • developing a new detailed plan of guidance policies to help determine what will be available before and after 25 May 2018; and
  • developing new practical tools and resources to help SMEs with their compliance obligations.

Phase 3: bulk guidance refresh

Following on from Phases 1 and 2, the ICO will finalise its data protection guidance – whether by refreshing and adapting existing guidance or writing new items or signposting or translating EU guidance. The ICO is also intending to complete the development of any practical tools it has decided to implement and will also be establishing a review process whereby the guidance will continue to be updated as businesses and courts across the EU acclimatise to the new legislation.

WAB Comment

Whilst the 12 Step Document has been a helpful starting point there are still many unanswered questions on what exactly is required of organisations to comply with the GDPR. The ICO’s guidance roadmap should therefore provide welcome relief for such organisations on when they can expect to have further clarification for their data protection to-do list well before the GDPR comes into force on 25 May 2018.

If you would like to discuss the effect of the reforms on your organisation, please contact our Data Protection specialists.

Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.

This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more see our cookies policy