Data Protection Update
11 October 2013
2013 has seen the Information Commissioner’s Office (ICO) publish guidance on two significant topics: (i) the increasing trend of BYOD or ‘bring your own device’; and (ii) the European Commission’s proposed reforms of data protection legislation. A summary of both of these issues is considered below.
1. Bring Your Own Device
In light of recent trends for employees to use their own laptops or tablets to work, the ICO published new guidance in 2013 to assist employers and data controllers with the practical implications this will bring in relation to data protection requirements. The ICO provide that the company as the ‘data controller’ will still have responsibility for ensuring that all processing of personal data is done in compliance with the DPA which includes the seventh principle which provides that appropriate technical and organisational measures must be taken against the accidental loss or destruction of or damage to personal data.
What can your Business do to protect itself?
The following are some of the measures which should be considered by businesses if considering or if they already have in place a BYOD policy:
- BYOD Policy. Businesses should carry out an audit of the types of personal data they are holding and the devices which will be used. Employees should be aware of their responsibilities and regular audits should be carried out to ensure they are being complied with. A BYOD policy should be provided, if not already in place, to ensure that the businesses’ requirements are clearly set out.
- Data Storage. Consideration should be given to where the data is stored. For example, is it stored on the device, on the company IT network or on the cloud. Regardless of where it is stored, as data controller, the company will remain responsible for it. Businesses should consider the encryption and password controls used on the devices. Arrangements with cloud providers should be reviewed to ascertain their security and reliability. Employees should be discouraged from using public cloud-based sharing which have not been fully approved by the business.
- Data Transfer. BYOD policies usually involve the transfer of personal data between the employee’s device and the businesses’ systems. Consider the use of encrypted channels for transferring data. Also, if using USB’s or other removable media consider how to safely & securely delete data after it has been transferred. Consider disabling blue tooth or Wifi and providing guidance to employees on how to use public Wifi networks
- Control and Security of the Device. As the business will have less control over a device belonging to an employee it is important to consider how to manage any personal data held by employees and how the business will manage it in the event that the employee leaves. Consider registering devices with a facility to enable remote wiping of data in order to maintain confidentiality in the event of loss or theft (although employee’s prior permission should be sought in case any personal work is deleted) and limiting the choice of devices to those which you have assessed as providing an appropriate level of security.
2. Reform of Data Protection Legislation
The DPA currently governs data protection in the UK which is derived from the EU Data Protection Directive (95/46/EC). Due to rapid development of the internet and other technological advancements, the European Commission introduced proposed regulations (the ‘regulations’) designed to modernise data protection legislation. The ICO published their analysis on the proposals in February 2013. If the new regulations are passed, they will apply directly in all member states two years after the date the regulations come into force (without the need for further local legislation). It is expected that there will be significantly more red tape for businesses to get through in order to ensure compliance.
How will these new regulations affect businesses?
The following are a summary of the main proposals which, if passed, may have an impact on your business:
- Policies: Proposed article 11 requires data controllers to have ‘transparent and easily accessible polices with regards to the processing of personal data and for the exercise of data subjects rights’. Businesses will have to ensure they have a detailed policy regarding their compliance measures and, depending on the size of the firm, (for example if you have 250 or more employees) a dedicated data protection officer will have to be appointed.
- Processors: The new regulations apply to data processors as well as controllers. This means that businesses merely processing data on behalf of another company will have obligations under the regulations.
- Cross Border Transfers: The regulations have proposed several changes to the existing regime for cross-border data transfers.In particular the regulations give legislative recognition to Binding Corporate Rules (BCRs) which allow multi-national companies to carry out inter-group data transfers
- Retention of Personal Data: The regulations propose that individuals will be allowed greater freedom to insist personal data held about them is deleted. Data subjects will be entitled to request that data controllers erase all personal data relating to them which could lead to significant administrative burdens on businesses.
- Consent: A new definition of ‘data subject’s consent’ requires individuals provide explicit consent to having their personal data processed. Businesses may find it difficult to find practical ways to ensure that consent received is explicit.
- Fines: Under the new regulations, data processors or controllers who fail to comply with their data protection obligations can now be fined up to one million euros.