New ICO guidance and expected changes in data protection in 2019

The Information Commissioner's Office (ICO) has updated its guidance on data protection impact assessments (DPIA). 

What is a DPIA?

DPIA's are a tool to help organisations identify and minimise the data protection risks of new projects. The GDPR includes an obligation for organisations to do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing and the ICO has issued screening checklists to help you decide when to do a DPIA.

The updated guidance also includes examples of processing that is likely to result in high risk. 

It's important to get it right, as a failure to carry out a DPIA when required can lead to enforcement action, including a fine of up to €10 million, or up to 2% global annual turnover if higher.

In addition, the ICO has published a Guide to Data Protection which covers the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR). It is split into five main sections:

  • Introduction to data protection.
  • Guide to GDPR.
  • Guide to Law Enforcement processing.
  • Guide to Intelligence Services processing.
  • Key data protection themes.

In the latest round of updates the ICO has also published its plans to ensure the UK data protection framework continues to operate effectively in the event of a no-deal Brexit.

Data protection in 2019

We expect the ICO to continue to issue new and expanded guidance in several areas, including deletion of personal data, public task as a lawful basis for processing, and exemptions from the rights of access, rectification, erasure, portability and objection in the Data Protection Act 2018 (DPA 2018).

In addition, it’s likely that the ICO will issue new codes of practice as required by the DPA 2018, after current consultations.

The draft E-Privacy Regulation (ePR) will probably be adopted in 2019, although it is unlikely that this will happen before the UK leaves the EU. It will still be applicable to the UK after exit day when the processing of data involves EU users.