Last month marked the most significant change in data law of the last two decades, as the much awaited General Data Protection Regulations (GDPR) came into force along with the Data Protection Act 2018 (repealing and replacing its 1998 namesake). With all of the focus and required administration leading up to their commencement date of 25 May, it would be understandable if organisations have not yet had time to read over some of the practical data protection guidance recently issued by the Information Commissioner's Office (ICO). 

Two of the latest publications from the ICO provide valuable insights and practical know-how on some of the key concepts introduced by the GDPR. The first is an expansion of the ICO's main guide to the GDPR, and provides further coverage on the right of access and the right to object. The second, which is also worth reading, is the final guidance document on data protection impact assessments.

Right of access and right to object

The ICO's guide to the GDPR has been updated on a monthly basis since January 2017 in the lead-up to the GDPR's commencement date. The latest update has expanded the guidance available under both right of access and right to object.

Commonly referred to as subject access, the right of access provides individuals with a right to obtain a copy of any of their personal data held by a data controller – often their employer/ex-employer. The new pages published by the ICO provide guidance on how to recognise a subject access request and how the information requested should be presented following a request. It also covers practical points such as time limits for compliance and when a fee may be charged for complying with the request.

Similarly, the guidance provides what should be considered best practice when it comes to recognising an objection by an individual to their data being processed. It also provides some useful examples of exactly in what types of situations the right to object will apply.

Considering the fact that these points are not covered in any detail by the GDPR itself, the ICO's guidance serves as a very useful resource in the event that a subject access request or objection is raised by an employee, or any other data subject.

Data protection impact assessments (DPIAs)

This guidance sits alongside the ICO's main GDPR guidance document. A DPIA is a tool to help organisations minimise any data protection related risks that may arise before any personal data is processed. These assessments should now be an ongoing process, forming a regular part of an organisation's work flow.

The DPIA guidance is aimed at helping organisations carry out assessments as part of an encouraged "data protection by default and design approach". As well as setting out exactly what is required by the new regime and how to actually go about carrying out a DPIA, the guidance:

  • stresses the importance of consideration of factors which are "high risk" and provides some insight as to the different factors which may indicate such risk;
  • provides meanings for phrases found in the GDPR articles relating to DPIAs such as "new technologies", "significantly affect" and "large scale"; and
  • reiterates the importance of DPIAs in relation to an organisation's accountability requirements under the GDPR.

Both sets of guidance serve as useful risk management tools when it comes to interpreting the meanings in the GDPR and the types of practical processes organisations will have to carry out in order to comply with the new regulations. Should you have any queries about the ongoing data management and assessment requirements mentioned in the guidance, please do contact us.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.