Tim Musson, Convener of the Law Society of Scotland’s Privacy Law Committee, gives us an update on the latest General Data Protection Regulation (GDPR) guidance.

Clients keep saying to me: “How can we possibly comply with the GDPR, there’s no guidance available?”

Of course, there is the Regulation itself and, like any other law, we must comply. The problem is that the GDPR is complicated and compliance is difficult.

Official guidance is provided by the ICO and the Article 29 Working Party (the working party), which was set up by article 29 of the Data Protection Directive and consists of a representative from a data protection regulatory authority from each EU Member State. As the GDPR is an EU Regulation, most of the guidance must come from the working party.

And just in time for Christmas, the working party delivered five new pieces of guidance in December!

We now have the following official guidance:

  • Guidelines on the right to "data portability"
  • Guidelines on Data Protection Officers (DPOs)
  • Guidelines on The Lead Supervisory Authority
  • Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk"
  • Guidelines on the application and setting of administrative fines
  • Guidelines on Personal data breach notification
  • Guidelines on Automated individual decision-making and Profiling

The following new items are still at the consultation stage but should nevertheless prove very useful:

  • Adequacy Referential (updated)
  • The elements and principles to be found in Binding Corporate Rules
  • The elements and principles to be found in Processor Binding Corporate Rules
  • Guidelines on Consent
  • Guidelines on Transparency

You can read all the guidance from the Article 29 Working Party on the European Commission website.

The new items are probably the most significant so far. The Adequacy Referential may well have an impact on whether the EU will see the post-Brexit UK as ‘adequate’ for data protection purposes. This will have major implications for businesses trading with the EU. The Guidelines on Consent have been eagerly awaited because of their consequences for direct marketing (the ICO’s draft guidelines and consultation on consent were put on hold earlier this year in anticipations of these). The Guidelines on Transparency are also very significant as ‘transparency’ is one of the core themes of the GDPR, with greatly increased requirements of information provision to data subjects.These are not easy reading!

The Privacy Law Sub-Committee will be considering its response to these consultations.

While we are still expecting guidance on a host of further topics, we can no longer say there isn’t a great deal of guidance.

The task, as we start a new year, is to catch up with this guidance and consider how it impacts on our businesses. Happy reading!

Read all the guidance from the Article 29 Working Party.

Tim Musson has been delivering a number of Law Society of Scotland CPD & Training events on data protection and the GDPR. Find out more about upcoming CPD courses.

Grey steps with a pair of legs climbing up


Our guide to data protection from the perspective of a legal practice