Feeds

ICO on beefed-up EU privacy rules: Biz bods will need 'explicit consent' to slurp data

Never mind what the prime minister said...

High performance access to file storage

Businesses can help ease the transition towards complying with new EU data protection rules by taking a number of steps now, the Information Commissioner's Office (ICO) has said.

In an ICO blog, Deputy Information Commissioner David Smith said businesses can begin by reviewing their procedures for obtaining consent to the processing of personal data, and also undertake measures to make compliance with new data breach notification rules easier.

Smith's comments follow the approval of a draft General Data Protection Regulation by a European Parliamentary committee last week. The final version of the text is still subject to change, as EU Ministers will first have to agree on their own draft Regulation and then negotiate on wording commonly acceptable to both them and MEPs before the new rules become law.

At a recent meeting, EU leaders committed to adopt the new regime "by 2015", but the rules themselves would not take effect for a further two years, under current proposals.

Smith welcomed the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee's approval of the draft Regulation, although said he was not in agreement with all the amendments the MEPs have sought to introduce.

He said, though, that reforms to rules on consent could be expected and that businesses could take steps now to ensure they comply.

"While there will likely continue to be alternatives to relying on an individual’s consent to process their personal information, it’s clear that if your organisation is going to rely on consent then it will need to be ‘explicit’ to be valid," Smith said.

"There’s still some negotiation to go before we see this high standard adopted, but it’s worth checking now how you are obtaining consent, and whether customers realise what they are consenting to. In the future you may also need to be able to prove that somebody has knowingly given you their consent, so start thinking now as to how you gather and document this."

Smith said businesses may also have to put in place systems and management controls that ensure personal information they hold is deleted upon individuals' request, under the new framework.

The Deputy Commissioner also said that businesses can prepare now for new rules that are expected to require them to report some data breaches to regulators.

"Obligatory breach notification, both to affected individuals and to the ICO, is very likely to become law at some point, and organisations are well-advised to start thinking now about how they might put the necessary procedures in place," Smith said. "An obvious first move would be to make sure you know which individuals you hold information about and where it is kept. Then at least if something does go wrong you will know who is affected and who you may need to contact."

The new Regulation is also likely to place obligations on companies developing new systems to ensure that they are designed with privacy in mind. Smith said that such a move would be "new and welcome".

"Whilst not currently a legal requirement, the concept of data protection by design is already recognised as good practice," he said. "All it means really is that when you bring in new systems - or are enhancing existing ones - you need to make sure the impact on individuals’ privacy is minimised."

"This is already implicit in the Data Protection Act principles, for example not collecting too much personal information, but the EU reforms could see an explicit instruction that the information systems used to process peoples’ personal data must be designed with those principles in mind," Smith added. "It might sound scary, but it should help organisations to design systems that respect individuals’ privacy and so command the confidence of customers and the wider public."

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.