EU Data Protection Reform – Are we nearly there yet? In a word, no.

The EU’s plans for an overhaul of data protection laws have suffered yet another set-back. After much speculation from commentators that the June 2014 deadline was unrealistic, the EU Justice Commissioner Viviane Reding finally conceded in a speech at a meeting of EU justice and home affairs ministers in Athens last week that the draft Data Protection Regulation will not be agreed during the current term of the EU Parliament.

This most recent delay has been caused by EU ministers failing to reach agreement before starting negotiations with the EU Parliament and the Commission. The draft Data Protection Regulation was first published by the European Commission in January 2012 and has proved to be one of the most controversial proposals ever to come out of Brussels, with over 4000 amendments proposed to the Commission’s original draft.

New timetables have been proposed and Viviane Reding has made some optimistic statements that there will still be a new data law by the end of the year. However, the reality is that we will have to wait and see how discussions regarding the draft Regulations progress following the forthcoming parliamentary election season. There currently remain fundamental differences among Member States and some significant changes of approach will be needed if a consensus is going to be reached.

The UK is currently calling for the proposals to be watered down and for the Regulation to become a Directive, giving each Member State the opportunity to interpret the requirements in a way which best suits them when adopting the Directive into national law. However, this approach is unlikely to be welcomed by international businesses looking for consistency regarding the application of data protection legislation cross Europe.

The one consensus which appears to exist among Member States is the acknowledgement that a change of some description to the current data protection regime is required. In the UK, the core data protection legislation has been in force since 1998 and is outdated and often incompatible with the technological advances which have been made in the last 16 years. Updated legislation, which reflects the world in which businesses are now operating and the advances which are likely to occur over coming years, is likely to be welcomed by all, but only if it is clearly drafted, thoughtful and well-reasoned. No one wants another piece of hastily constructed legislation which raises more questions than it answers. We’ve already got the cookies legislation for that!

ICO publishes data protection guidance for BYOD

Photo: chinnian.

Image credit: chinnian.

The Information Commission Office (ICO) has recently published guidance for companies to help them avoid potential breaches of data protection laws when encouraging staff to use their personal laptops, tablet computers or smartphones for business purposes, a practice known as ‘bring your own device’ (BYOD).

A recent survey, commissioned by the ICO and carried out by YouGov, revealed that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But fewer than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices.

The benefits of BYOD include employee satisfaction from being able to use devices of their choice, increased productivity particularly when out of the office and cost saving as a result of the decreased overheads for hardware. However, there are also risks associated with BYOD, one of the key ones being security.

The ICO’s guidance outlines some of the risks which businesses should consider when allowing personal devices to be used for work-related purposes and guidance explains how BYOD can be adopted in a manner that complies with the Data Protection Act 1998 (DPA).

Under the DPA, there are 8 principles of ‘good information handling’. As well as protecting individuals who are the subjects of this information, it imposes obligations upon those processing the information. Of most relevance is the seventh principle of maintaining ‘appropriate technical and organisational measures…[to protect] against accidental loss or destruction of, or damage to, personal data’.

The ICO’s guidance recommends a number of security measures which employers should put in place to avoid breaching their data protection obligations, these include:

  • auditing the types of personal data being processed and the devices used to access that data;
  • denying or restricting access to sensitive data on devices which lack a high level of encryption; and
  • controlling access to data and/or devices using passwords or PIN codes.

The guidance also explains how businesses should have remote locate and wipe facilities in place to maintain the confidentiality of data in the event of loss or theft and should, where possible, avoid the use of public cloud-based sharing and public backup services if the services have not been fully assessed.

Although implementing these controls will not be free of cost, the potential fines and reputational damage which could arise as a result of non-compliance with data protection legislation and the financial benefits of BYOD could far exceed the costs of putting in place appropriate security measures.

As data controllers, employers must ensure that all personal data is processed in accordance with the requirements of the DPA. The ICO’s guidance represents a useful tool for employers currently using or considering BYOD initiatives to ensure that they remain compliant with the DPA.

A copy of the ICO’s guidance is available here.