ICO on beefed-up EU privacy rules: Biz bods will need 'explicit consent' to slurp data

Businesses can help ease the transition towards complying with new EU data protection rules by taking a number of steps now, the Information Commissioner's Office (ICO) has said.

In an ICO blog, Deputy Information Commissioner David Smith said businesses can begin by reviewing their procedures for obtaining consent to the processing of personal data, and also undertake measures to make compliance with new data breach notification rules easier.

Smith's comments follow the approval of a draft General Data Protection Regulation by a European Parliamentary committee last week. The final version of the text is still subject to change, as EU Ministers will first have to agree on their own draft Regulation and then negotiate on wording commonly acceptable to both them and MEPs before the new rules become law.

At a recent meeting, EU leaders committed to adopt the new regime "by 2015", but the rules themselves would not take effect for a further two years, under current proposals.

Smith welcomed the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee's approval of the draft Regulation, although said he was not in agreement with all the amendments the MEPs have sought to introduce.

He said, though, that reforms to rules on consent could be expected and that businesses could take steps now to ensure they comply.

"While there will likely continue to be alternatives to relying on an individual’s consent to process their personal information, it’s clear that if your organisation is going to rely on consent then it will need to be ‘explicit’ to be valid," Smith said.

"There’s still some negotiation to go before we see this high standard adopted, but it’s worth checking now how you are obtaining consent, and whether customers realise what they are consenting to. In the future you may also need to be able to prove that somebody has knowingly given you their consent, so start thinking now as to how you gather and document this."

Smith said businesses may also have to put in place systems and management controls that ensure personal information they hold is deleted upon individuals' request, under the new framework.

The Deputy Commissioner also said that businesses can prepare now for new rules that are expected to require them to report some data breaches to regulators.

"Obligatory breach notification, both to affected individuals and to the ICO, is very likely to become law at some point, and organisations are well-advised to start thinking now about how they might put the necessary procedures in place," Smith said. "An obvious first move would be to make sure you know which individuals you hold information about and where it is kept. Then at least if something does go wrong you will know who is affected and who you may need to contact."

The new Regulation is also likely to place obligations on companies developing new systems to ensure that they are designed with privacy in mind. Smith said that such a move would be "new and welcome".

"Whilst not currently a legal requirement, the concept of data protection by design is already recognised as good practice," he said. "All it means really is that when you bring in new systems - or are enhancing existing ones - you need to make sure the impact on individuals’ privacy is minimised."

"This is already implicit in the Data Protection Act principles, for example not collecting too much personal information, but the EU reforms could see an explicit instruction that the information systems used to process peoples’ personal data must be designed with those principles in mind," Smith added. "It might sound scary, but it should help organisations to design systems that respect individuals’ privacy and so command the confidence of customers and the wider public."

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.