Feeds

ICO on beefed-up EU privacy rules: Biz bods will need 'explicit consent' to slurp data

Never mind what the prime minister said...

High performance access to file storage

Businesses can help ease the transition towards complying with new EU data protection rules by taking a number of steps now, the Information Commissioner's Office (ICO) has said.

In an ICO blog, Deputy Information Commissioner David Smith said businesses can begin by reviewing their procedures for obtaining consent to the processing of personal data, and also undertake measures to make compliance with new data breach notification rules easier.

Smith's comments follow the approval of a draft General Data Protection Regulation by a European Parliamentary committee last week. The final version of the text is still subject to change, as EU Ministers will first have to agree on their own draft Regulation and then negotiate on wording commonly acceptable to both them and MEPs before the new rules become law.

At a recent meeting, EU leaders committed to adopt the new regime "by 2015", but the rules themselves would not take effect for a further two years, under current proposals.

Smith welcomed the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee's approval of the draft Regulation, although said he was not in agreement with all the amendments the MEPs have sought to introduce.

He said, though, that reforms to rules on consent could be expected and that businesses could take steps now to ensure they comply.

"While there will likely continue to be alternatives to relying on an individual’s consent to process their personal information, it’s clear that if your organisation is going to rely on consent then it will need to be ‘explicit’ to be valid," Smith said.

"There’s still some negotiation to go before we see this high standard adopted, but it’s worth checking now how you are obtaining consent, and whether customers realise what they are consenting to. In the future you may also need to be able to prove that somebody has knowingly given you their consent, so start thinking now as to how you gather and document this."

Smith said businesses may also have to put in place systems and management controls that ensure personal information they hold is deleted upon individuals' request, under the new framework.

The Deputy Commissioner also said that businesses can prepare now for new rules that are expected to require them to report some data breaches to regulators.

"Obligatory breach notification, both to affected individuals and to the ICO, is very likely to become law at some point, and organisations are well-advised to start thinking now about how they might put the necessary procedures in place," Smith said. "An obvious first move would be to make sure you know which individuals you hold information about and where it is kept. Then at least if something does go wrong you will know who is affected and who you may need to contact."

The new Regulation is also likely to place obligations on companies developing new systems to ensure that they are designed with privacy in mind. Smith said that such a move would be "new and welcome".

"Whilst not currently a legal requirement, the concept of data protection by design is already recognised as good practice," he said. "All it means really is that when you bring in new systems - or are enhancing existing ones - you need to make sure the impact on individuals’ privacy is minimised."

"This is already implicit in the Data Protection Act principles, for example not collecting too much personal information, but the EU reforms could see an explicit instruction that the information systems used to process peoples’ personal data must be designed with those principles in mind," Smith added. "It might sound scary, but it should help organisations to design systems that respect individuals’ privacy and so command the confidence of customers and the wider public."

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.