Feeds

ICO on beefed-up EU privacy rules: Biz bods will need 'explicit consent' to slurp data

Never mind what the prime minister said...

Boost IT visibility and business value

Businesses can help ease the transition towards complying with new EU data protection rules by taking a number of steps now, the Information Commissioner's Office (ICO) has said.

In an ICO blog, Deputy Information Commissioner David Smith said businesses can begin by reviewing their procedures for obtaining consent to the processing of personal data, and also undertake measures to make compliance with new data breach notification rules easier.

Smith's comments follow the approval of a draft General Data Protection Regulation by a European Parliamentary committee last week. The final version of the text is still subject to change, as EU Ministers will first have to agree on their own draft Regulation and then negotiate on wording commonly acceptable to both them and MEPs before the new rules become law.

At a recent meeting, EU leaders committed to adopt the new regime "by 2015", but the rules themselves would not take effect for a further two years, under current proposals.

Smith welcomed the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee's approval of the draft Regulation, although said he was not in agreement with all the amendments the MEPs have sought to introduce.

He said, though, that reforms to rules on consent could be expected and that businesses could take steps now to ensure they comply.

"While there will likely continue to be alternatives to relying on an individual’s consent to process their personal information, it’s clear that if your organisation is going to rely on consent then it will need to be ‘explicit’ to be valid," Smith said.

"There’s still some negotiation to go before we see this high standard adopted, but it’s worth checking now how you are obtaining consent, and whether customers realise what they are consenting to. In the future you may also need to be able to prove that somebody has knowingly given you their consent, so start thinking now as to how you gather and document this."

Smith said businesses may also have to put in place systems and management controls that ensure personal information they hold is deleted upon individuals' request, under the new framework.

The Deputy Commissioner also said that businesses can prepare now for new rules that are expected to require them to report some data breaches to regulators.

"Obligatory breach notification, both to affected individuals and to the ICO, is very likely to become law at some point, and organisations are well-advised to start thinking now about how they might put the necessary procedures in place," Smith said. "An obvious first move would be to make sure you know which individuals you hold information about and where it is kept. Then at least if something does go wrong you will know who is affected and who you may need to contact."

The new Regulation is also likely to place obligations on companies developing new systems to ensure that they are designed with privacy in mind. Smith said that such a move would be "new and welcome".

"Whilst not currently a legal requirement, the concept of data protection by design is already recognised as good practice," he said. "All it means really is that when you bring in new systems - or are enhancing existing ones - you need to make sure the impact on individuals’ privacy is minimised."

"This is already implicit in the Data Protection Act principles, for example not collecting too much personal information, but the EU reforms could see an explicit instruction that the information systems used to process peoples’ personal data must be designed with those principles in mind," Smith added. "It might sound scary, but it should help organisations to design systems that respect individuals’ privacy and so command the confidence of customers and the wider public."

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Build a business case: developing custom apps

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
Govt control? Hah! It's IMPOSSIBLE to have a successful command economy
Even Moore's Law can't help the architects of statism now
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.