The continued uncertainty around the draft EU Data Protection Regulation presents something of a challenge for data controllers. It’s clear that it could require them to make significant changes to how they handle individuals’ data, but the ongoing fundamental political disagreements make it difficult to predict which changes will make it into the final form of the legislation. So it is interesting to see the recommendations on the UK ICO’s blog on where to start in preparing for reforms, highlighting three areas: consent, breach notification, and privacy by design.
Consent: In the UK many organizations rely on implied consent to processing of data. It is possible that under the Regulation the standards to be met to rely on consent will be much higher, requiring explicit consent, and an ability to demonstrate that an individual knowingly gave their consent. The ICO suggests data controllers identify where they currently rely on consent to process, and how they obtain such consent, in case the Regulation requires changes in this area. Individuals may also have greater rights to require controllers to delete their data, so the ICO suggests thinking about how this would impact on the way data controllers manage their information systems.
Breach notification: Mandatory breach notification will almost certainly be introduced in some form so organizations should start planning for this now. Attendees of Hogan Lovells’ recent London cybersecurity seminar will already be aware of the importance of developing breach handling protocols to combat intrusions, and personal data breach notification processes can be incorporated within these.
Data protection by design: This is the concept that privacy issues should be taken into account when developing new systems. The ICO already promotes this as a matter of good practice, so it is not surprising that it uses preparation for the Regulation as a way of promoting its use.