10 things that happened whilst I was on maternity leave (and two that didn’t)
Number 5: The GDPR guidance continues

Since my previous update from 2018: The GDPR is here! What now?, the UK Information Commissioner’s Office (ICO) and the EU European Data Protection Board (EDPB) have continued to publish new and updated guidance on the GDPR and UK Data Protection Act 2018. The EDPB has also provided its first Opinions. This article provides an overview on some key topics.

The ICO guidance is available on the ICO website, the EDPB Guidelines are available on the EDPB website, and EDPB Opinions are available on the EDPB Website.

EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

ICO guidance on exemptions to the GDPR

Other new or updated guidance and Opinions include:

  • ICO Guidance on encryption: This was published in November 2018, and includes guidance on what is encryption and some encryption scenarios, including use with email, external devices and videos.
  • ICO final version of guidance on contracts and liabilities between controllers and processors and additional guidance on controllers and processors: These were published in December 2018, and include guidance on identifying the roles of controller, processor and joint controller.
  • EDPB Opinion 22/2018 United Kingdom SAs DPIA List: This was published in October 2018, and considers the ICO’s original list of processing operations which require a data protection impact assessment (DPIA) to be carried out. It requests the ICO to make changes, including reducing the circumstances which controllers need to carry out a DPIA.
  • ICO updated DPIAs guidance following the EDPB’s Opinion: This was published in Dcember 2018 and includes changes to the rules on when a DPIA must be carried out by reference to the type of processing activities being undertaken.
  • EDPB Guidelines 4/2018 on the accreditation of certification bodies: These were open for consultation until 1 February 2019.
  • EDPB Annex 2 of Guidelines 1/2018 on certification and identifying certification criteria: These were open for consultation until 29 March 2019.
  • EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies: These were open for consultation until 2 April 2019.
  • EDPB: Opinion 05/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities.

Olivia Whitcroft, principal of OBEP, 19 June 2019


1 Note that, under the Data Protection Act 1998, controllers were able to make their own assessment of adequacy which could take into account, amongst other factors, the country of origin of the data. There is no equivalent provision within the GDPR.

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details