Feeds

ICO on beefed-up EU privacy rules: Biz bods will need 'explicit consent' to slurp data

Never mind what the prime minister said...

The Power of One Infographic

Businesses can help ease the transition towards complying with new EU data protection rules by taking a number of steps now, the Information Commissioner's Office (ICO) has said.

In an ICO blog, Deputy Information Commissioner David Smith said businesses can begin by reviewing their procedures for obtaining consent to the processing of personal data, and also undertake measures to make compliance with new data breach notification rules easier.

Smith's comments follow the approval of a draft General Data Protection Regulation by a European Parliamentary committee last week. The final version of the text is still subject to change, as EU Ministers will first have to agree on their own draft Regulation and then negotiate on wording commonly acceptable to both them and MEPs before the new rules become law.

At a recent meeting, EU leaders committed to adopt the new regime "by 2015", but the rules themselves would not take effect for a further two years, under current proposals.

Smith welcomed the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee's approval of the draft Regulation, although said he was not in agreement with all the amendments the MEPs have sought to introduce.

He said, though, that reforms to rules on consent could be expected and that businesses could take steps now to ensure they comply.

"While there will likely continue to be alternatives to relying on an individual’s consent to process their personal information, it’s clear that if your organisation is going to rely on consent then it will need to be ‘explicit’ to be valid," Smith said.

"There’s still some negotiation to go before we see this high standard adopted, but it’s worth checking now how you are obtaining consent, and whether customers realise what they are consenting to. In the future you may also need to be able to prove that somebody has knowingly given you their consent, so start thinking now as to how you gather and document this."

Smith said businesses may also have to put in place systems and management controls that ensure personal information they hold is deleted upon individuals' request, under the new framework.

The Deputy Commissioner also said that businesses can prepare now for new rules that are expected to require them to report some data breaches to regulators.

"Obligatory breach notification, both to affected individuals and to the ICO, is very likely to become law at some point, and organisations are well-advised to start thinking now about how they might put the necessary procedures in place," Smith said. "An obvious first move would be to make sure you know which individuals you hold information about and where it is kept. Then at least if something does go wrong you will know who is affected and who you may need to contact."

The new Regulation is also likely to place obligations on companies developing new systems to ensure that they are designed with privacy in mind. Smith said that such a move would be "new and welcome".

"Whilst not currently a legal requirement, the concept of data protection by design is already recognised as good practice," he said. "All it means really is that when you bring in new systems - or are enhancing existing ones - you need to make sure the impact on individuals’ privacy is minimised."

"This is already implicit in the Data Protection Act principles, for example not collecting too much personal information, but the EU reforms could see an explicit instruction that the information systems used to process peoples’ personal data must be designed with those principles in mind," Smith added. "It might sound scary, but it should help organisations to design systems that respect individuals’ privacy and so command the confidence of customers and the wider public."

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Maximizing your infrastructure through virtualization

More from The Register

next story
Sit back down, Julian Assange™, you're not going anywhere just yet
Swedish court refuses to withdraw arrest warrant
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
British cops cuff 660 suspected paedophiles
Arrests people allegedly accessing child abuse images online
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.