The journey to a new European law is a long one, but to mis-quote a well-known phrase, one small step by the European Parliament could yet prove to be one giant leap forward towards a new data protection regulation.
Last Monday, the European Parliament’s LIBE (civil liberties) committee agreed how they’d like the proposed reforms to look. This will be what they’ll take to the table in negotiations with the European Council and the European Commission, which are not expected to begin much before the end of the year.
It’s significant in that the Parliament are making the running and are well ahead of the Council in agreeing the position they’ll be taking to the negotiations (or ‘trialogue’, if you’re using the Brussels lingo).
But perhaps more significantly, it confirms that while compromise around the specifics of the reform will take considerable work, the political will is there: last week’s agreement managed to accommodate well over 3,000 suggested amendments to the original proposal.
We don’t necessarily embrace all the Parliament’s changes with open arms and there’s still some way to go, but the progress is pleasing, and we’d echo the words of Jan Albrecht MEP, the politician who was the driving force behind the Parliament’s proposal, that last Monday’s agreement at least has the potential to be “a breakthrough for data protection rules in Europe”.
Over the next couple of weeks we will be looking carefully at the differences between the Parliament’s latest text and the Commission’s original proposal and publishing a brief analysis of the main points of divergence.
With the progress in Brussels in mind, it’s little surprise that here in the UK we’re increasingly being asked by data controllers what they can do to prepare for the reforms. We’d recommend there are three good places to start:
While there will likely continue to be alternatives to relying on an individual’s consent to process their personal information, it’s clear that if your organisation is going to rely on consent then it will need to be ‘explicit’ to be valid.
There’s still some negotiation to go before we see this high standard adopted, but it’s worth checking now how you are obtaining consent, and whether customers realise what they are consenting to. In the future you may also need to be able to prove that somebody has knowingly given you their consent, so start thinking now as to how you gather and document this.
In LIBE’s proposal, the ‘right to be forgotten’ has evolved into ‘the right to erasure’. This is closely connected with the consent issue. Although the practical implications are yet to be worked out, it is clear that under the Regulation individuals will have more control over whether personal information is held about them. This means that where consent is revoked – or where you never had it in the first place – you may be required to erase someone’s personal data if they ask you to. Again this will have implications for the way you manage your information systems.
No one is really questioning the principle of some form of compulsory breach notification – especially where a failure to report a breach would leave individuals open to problems like identity theft or financial loss. Again though, there are still many details to be resolved: what are the triggers here? Do all breaches have to be reported, or only ones involving a certain number of people or particular types of information?
Obligatory breach notification, both to affected individuals and to the ICO, is very likely to become law at some point, and organisations are well-advised to start thinking now about how they might put the necessary procedures in place. An obvious first move would be to make sure you know which individuals you hold information about and where it is kept. Then at least if something does go wrong you will know who is affected and who you may need to contact.
We already have a limited form of breach notification in the UK. There’s guidance on this on our website, explaining when certain organisations need to report a breach to us.
Data protection by design
Whilst not currently a legal requirement, the concept of data protection by design is already recognised as good practice. All it means really is that when you bring in new systems – or are enhancing existing ones – you need to make sure the impact on individuals’ privacy is minimised.
This is already implicit in the Data Protection Act principles, for example not collecting too much personal information, but the EU reforms could see an explicit instruction that the information systems used to process peoples’ personal data must be designed with those principles in mind. This is new and welcome. It might sound scary, but it should help organisations to design systems that respect individuals’ privacy and so command the confidence of customers and the wider public.
Besides bearing the concept in mind, organisations would also be well-advised to look at the new Privacy Impact Assessment handbook that we’re developing. It’s out for consultation until 5 November and will be really useful in preparing for the possible legal requirement to design privacy into your information systems.
|As well as providing Data Protection leadership across the ICO, David Smith has direct responsibility for oversight of its Strategic Liaison Division which develops and manages the ICO’s relations with its key stakeholders.|