Draft EU Data Protection Regulation: end of 2013 into 2014

Justice and Home Affairs Ministers continue to discuss the draft Data Protection Regulation at ministerial level and through working group meetings. Meanwhile, here in the UK, the ICO has published tips on how to prepare for the Regulation when it eventually comes into force.

Draft EU Data Protection Regulation continues to make progress
The next key event following the vote in European Parliament LIBE Committee in October is the December meeting of the Justice and Home Affairs Ministers. It is still possible that the European Commission may try and force the ministers to take a formal vote on the draft text so far, which would enable three-way discussions (a trilogue) to begin with the European Parliament and the European Commission.

There also remains the outside chance that all three bodies could approve a final version of the Regulation before the European Parliament and the European Commission come to the end of their five-year term this summer. For more information on this please see EU data protection reform could be delayed until 2015 article.

ICO publishes tips on how to prepare for the Regulation
A blog entry by David Smith, Deputy Commissioner and Director of Data Protection at the Information Commissioner’s Office (ICO), has three tips on how to prepare for the Regulation:

1. Consent
The ICO believes that consent will become explicit under the Regulation, but organisations will still be able to rely on other legal grounds for processing an individual’s personal information.
So, the ICO is advising organisations to check:
· How they obtain consent from individuals for processing their personal information
· Whether individuals realise what processing of their personal information they are consenting to

Organisations may also need to be able to prove that an individual has knowingly given their consent, so they may need to think about how they gather and document this, for example by keeping online copies of generic data collection forms or the wording used on websites. This is currently a good practice recommendation and many organisations may be doing this already.

Consent is also linked to the right to be forgotten, renamed the right to erasure by the European Parliament. If an individual revokes consent to an organisation processing their personal information and the individual asks the organisation to erase their personal information then the organisation will be required to comply with that request unless there is a legal need to keep such personal information.

2. Data security breach notification
It is almost certain that the Regulation will require organisations to notify both the national data protection regulatory authority and the individuals affected in the case of a data security breach. However, the level of data security breach that would trigger the notification requirements and the time limit for the notification are still subject to negotiation.

Organisations must know which individuals they hold personal information about and where such personal information is kept. This will allow organisations to know which individuals are affected and who they may need to contact.

3. Data protection by design
Under the Regulation organisations could be required to demonstrate to national data protection authorities that the IT systems they use to process individual’s personal information have been designed in accordance with the eight data protection principles in the Regulation. The requirement will help organisations to design IT systems that respect the individual’s privacy and so increase his or her trust and confidence in the organisation.

The ICO will shortly be issuing a revised version of its Privacy Impact Assessment Handbook, following a consultation, which closed on the 5 November. The new Handbook will help organisations prepare for this requirement.