Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO

Expect new European Union data protection law to be enacted in 2017 at the earliest, the deputy information commissioner David Smith has said

Expect new European Union (EU) data protection law to be enacted in 2017 at the earliest, said David Smith, deputy commissioner at the Information Commissioner’s Office.

“But, get your house in order now under the current law, to ensure you are ready for the coming changes, because the principles are not very different,” Smith told attendees of Infosecurity Europe 2014 in London.

By acting now, UK businesses can ensure they will not face huge challenges in future, said Smith.

Giving an update on process of issuing new laws, based on the draft EU Data Protection Regulation, he said there had been some progress in the past year, but it had been at a “snail’s pace”.

Smith said that, while the European Parliament had agreed on a version of the proposed regulation, members of the European Council were still working on theirs.

“Optimists hope that the European Council will reach agreement on the matter by June 2104,” said Smith.

Enacting final text

The next step in the process is to hammer out a final text, agreed by the European Parliament, the European Council and the European Commission (EC), which proposed the original draft in 2012.

Smith does not expect the tripartite negotiations to get underway before December 2014, which means the legislation is likely to be passed in 2015, followed by a two-year period of preparation for enactment.

“In this time the data protection laws in the EU member states will have to be replaced with the new EU laws and each data protection authority will need to prepare for a new way of working,” said Smith.

“The ICO will also have a big job to prepare guidance for UK companies on what they should prioritise to ensure they can comply with the new laws once they are enacted.”

Smith said the current data protection directive took five years to get turned into law, which suggests it will take at least another two years before the proposed regulation reaches completion.

Start preparation now

But he emphasised that there is no need to wait, and UK businesses should start preparing now, according to the “direction of travel” of the proposed legislation.

The top priority should be around the principle of obtaining explicit consent from people to gather and use their personal data, he told Computer Weekly.

“Businesses that plan to collect information that will require explicit consent must ensure that, in all their processes, it is very clear what data is being collected and for what purpose,” said Smith.

“It is important that the consent to collect data and use it for a specific purpose is prominent and not tucked away somewhere in a user agreement.”

Data breach notification

The next priority for UK businesses is to ensure they have a system in place for dealing with data breaches, and this should include processes for notifying anyone affected by a breach.

Data breach notification is likely to become compulsory for all companies in the EU, so UK companies should look at what processes they have in place, said Smith.

“If a company does not yet have any data breach notification process, they are lagging behind and risk incurring penalties if they are not ready by the time the new laws are enacted,” he said.

Culture of privacy

The third priority is to create a company culture where privacy is taken into account in every business activity and new processes are designed with privacy in mind.

“Businesses should think about things like necessary data retention periods because, if privacy is not part of the design from the start, it is typically much more difficult to fix in response to complaints,” said Smith.

The approach to retention is not expected to change. Organisations should ensure that personal data is not retained any longer than necessary for the purpose it was originally collected.

For future data analysis purposes, only anonymised or pseudonymised data should be used, said Smith.

“Businesses should not rush products and services to market without thorough testing, and they should listen to their privacy advisors before giving into pressures from the marketing department,” he said.

Balancing enforcement and guidance

Looking to the future, Smith expressed the hope that the final version of the revised data protection regulation is not highly prescriptive, nor too focused on enforcement.

“There are different cultures and legal traditions in Europe, so hopefully there will be enough wriggle room for each member state to allow for local sensitivities,” he said.

If there is too much focus on enforcement, the ICO is concerned that its educational and guidance activities may have to be curtailed.

The ICO recently published a code of practice on privacy impact assessments and plans to publish guidelines about online security soon, to pass on learning from the mistakes of others.

Smith said the ICO hopes that, under the new regulation, the UK will be able to make “sensible laws” that will not place “unnecessary burdens” on businesses.

Powers to chase the 'crooks'

The ICO is hoping for additional powers that will enable it to go after the “charlatans” and “crooked individuals” who “never pay up” and simply re-open for business under a new name, he said.

“The ICO is no longer a ‘toothless tiger’ and we have used our new powers to good effect, but more imaginative powers are needed such as the ability to impose periods of mandatory audits,” he said.

Smith said he believes the controversial Safe Harbour agreement does have a future, but only with tighter data protection assurances after it is revised in line with an EC review.

“One of the biggest problems is the element of self-attestation because, in its current form, the system provides no way of checking or verifying that companies are abiding by the rules,” said Smith.

The EC has submitted proposals for improvements to the Safe Harbour agreement. He said the US is working on those and a response is expected soon.

Read more on Privacy and data protection