Government reforms (2): Data protection – GDPR guidance

What do we already know?

The new General Data Protection Regulation (GDPR) will be with us very soon, on 25 May 2018.   We have been regularly updating you about this and for further detail see our updates here.

What’s new?

1. ICO GDPR guidance for micro-businesses

On 12 March 2018, the Information Commissioner’s Office (ICO) launched an awareness campaign about the GDPR aimed at micro-businesses (that is, those employing fewer than ten people).

The resources include a:

• self-assessment tool to enable micro-businesses to see if the new law under the GDPR applies to their business;
• video of eight steps that should be taken now and an accompanying guide; and
• list of frequently asked questions relating to different business sectors.

These are available here.

2. ICO GDPR guidance on data protection impact assessments (DPIAs):

The Information Commissioner’s Office (ICO) has published draft guidance on data protection impact assessments (DPIAs) (available here).  The draft guidance is intended to sit alongside the ICO’s Guide to the GDPR (available here) and will replace its current guidance on privacy impact assessments.

The draft guidance confirms that a DPIA is a way to identify data protection risk to individuals’ interests in relation to processing; it is an ongoing process and should be embedded into an organisation’s processes. Any risk should be minimised and an assessment made of whether any remaining risk is justified.

The draft guidance also notes that DPIAs are important as they can enable organisations to assess and demonstrate compliance with data principles and obligations under the GDPR.

3. ICO GDPR guidance on legitimate interests processing:

The Information Commissioner’s Office (ICO) has published detailed guidance on legitimate interests as a basis for processing personal data (available here).

The guidance sits alongside the ICO’s Guide to the GDPR and is intended to help organisations decide when to rely on legitimate interests as a basis for processing personal data.

Although the concept of “legitimate interests” as a basis for processing is not new, the GDPR has introduced some changes.  These include:

• enabling organisations to consider the legitimate interests of any third party; and
• requiring organisations to document their legitimate interest decisions in order to demonstrate compliance with the GDPR.

These changes mean that all organisations should be familiar with this guidance in order to ascertain whether they are able to rely on the legitimate interests as a basis for processing personal data.

The guidance recommends that organisations review their existing processing operations in order to ensure that where legitimate interests is relied on it is still the most appropriate basis for processing.

The ICO also confirms that organisations can move to legitimate interests as a basis for processing from a different basis under the Data Protection Act 1998.  However, where this is the case any individuals concerned should be informed of this via an updated privacy notice and of their right to object to processing on this basis.