Companies still struggling to get in shape for GDPR have been dealt yet another blow following claims that the vital consent guidance from the Information Commissioner’s Office may not now be ready until the end of the year.
The ICO had originally said it would publish its consent guidance in June, but industry sources claim it may not emerge until December, giving companies less than five months to get their plans in place before the May 25 deadline.
Other key guidance is also due, including how firms can use “legitimate interests” to process personal data, which it has been claimed may force them down yet another route. Some organisations, including the RNLI, have had to reappraise their approach already.
So far, the ICO has only published its 12-step guideline for complying with the new GDPR regulations, and it is coming under increasing pressure to show more urgency.
Last month, John Lewis and HSBC joined growing calls for more clarity from the UK regulator over how they can achieve compliance with GDPR, insisting its guidance is still too ambiguous.
Industry sources are fearful that the ICO “go-slow” is leading to many firms simply putting GDPR compliance on the back burner.
A spokesperson for the ICO declined to comment on when the guidance would be published but said: “We’re currently waiting for the Article 29 Working Party to release its consent guidance. Once this has happened, our guidance will follow.”
However, there are many in the industry who believe the ICO should be leading the way and not relying so heavily on Article 29 as members only hold plenary meetings every two months; the next is not scheduled to take place until the end of September.
Earlier this week, the UK regulator published its first International Strategy, vowing to make the UK one of the leading data protection regulators in the world to meet overseas challenges including increased globalism, changing technology, GDPR and Brexit.
ICO senior technology officer Peter Brown recently defended the ICO’s record, insisting: “We are continually working on new guidance, and more will be coming out. It may not arrive as quickly as people want, but it is on the way.”
John Lewis and HSBC slam ‘ambiguous’ GDPR guidance
Lack of GDPR guidance fuels fears over bombardment
ICO rebuffs GDPR guidance failings despite RNLI rethink
ICO insists GDPR guidance will cover legitimate interest
12 months until GDPR D-day: compliance fears rocket
12 months until GDPR D-day: still not too late to act
GDPR countdown fuels warning of 4,500% rise in fines
84% of UK SMEs have still not heard of EU data reforms