In early January, the Article 29 Working Party (WP29) adopted its 2017 Action Plan (Action Plan) on the implementation of the General Data Protection Regulation (GDPR).

Amongst the actions proposed, the Action Plan provides a list of guidelines to be published throughout the year; which are set to cover:

  • Certification and processing likely to result in high risk;
  • Data Protection Impact Assessments;
  • Administrative Fines;
  • Establishment of the European Data Protection Board (EDPB);
  • “One-stop-shop” and the EDPB’s consistency mechanism; and
  • Consent and Profiling.

Following on from the success of its Fablab in July 2016, the WP29 has invited stakeholders to present their views on the above topics at a second Fablab in April 2017. The WP29 will then consult non-EU counterparts on their views on the GDPR, including its implementation, in May.

As reported in a previous blog, the WP29 published its guidelines on data portability, data protection officers and lead supervisory authority at the end of 2016. Stakeholders have until 31 January to provide feedback on these guidelines, after which the WP29 plans to update these guidelines to take into account responses.

In the UK, the Information Commissioner’s Office (ICO) updated its Overview of the GDPR to reflect the Action Plan. Additionally, the ICO has been assessing numerous provisions of the GDPR, including those on risk, profiling and children’s personal data, and aims to publish its own guidance on certain topics (e.g. consent and liability) in the first half of 2017. Monthly updates illustrating forthcoming guidance from either the ICO or the WP29 will be detailed in the ICO’s “What’s New” section (first page of the aforementioned Overview).