By Lenitha Bishop, Head of DPOs, The DPO Centre Ltd and leading data privacy expert  

Ahead of Data Privacy Day on the 28th of January, we look at the big privacy and data protection issues facing the UK in the year ahead.      

The ongoing impact of COVID   

In the UK, many companies are now asking employees to head back into the office.  However, hybrid working is likely to become the ‘new normal’ for many office-based workers and that means data processing is occurring outside of secure office environments. This makes it much harder for organisations to apply the appropriate “technical and organisational measures” as required by UK data protection law to keep personal data secure; it also presents significant challenges for organisations when having to respond fully to individuals’ rights requests, like Data Subject Access Requests (DSARs).    

The pandemic also created issues such as the UK government’s decision to develop their “Track and Trace” app using a centralised, rather than de-centralised, approach to data processing. This highlighted all manner of privacy-related issues in the mainstream news, significantly raising the profile and importance of data protection in the general public’s eyes. Alongside this, it has also forced organisations to focus their attention on data protection issues relating to their industries, something that might have otherwise passed them by.   

The UK’s (DCMS) consultation on the UK’s data protection landscape  

Whilst we are still waiting for the outcome of the consultation, it is safe to say that the proposals included within it show a clear intention to diverge away, quite significantly in certain areas, from the EU’s regime. The two areas in which will likely see the most divergence are international data transfers and accountability requirements.    

In terms of data transfers, the UK government has made its intentions quite clear that it wants to significantly broaden the number of countries given adequacy, as well as the number of alternative transfer mechanisms available for businesses. In addition, another key area that the current DCMS consultation looks at is if ‘uncertainty may have caused an over-reliance on consent’ as a restricted transfer derogation, and we would agree with that.   

Overall, many of the proposals, if written into UK law, would detrimentally impact the chances of the UK retaining its adequacy status from the EU when it is reviewed.      

The additional burden on financial companies 

Financial companies now face additional impact assessments following the revised EU Commission standard contractual clauses (SCCs), not to mention the UK’s forthcoming SCCs that are due to be published in 2022.  Unpicking ‘consent’ for transfer derogations and where and what it has been given for, is being scrutinised more than ever, especially in a post-Schrems II era.  Are organisations only using these derogations for limited, non-repetitive circumstances and are customers fully aware of what is happening with their data and where it is being sent? 

In addition, ‘data graveyards’ are a big issue facing many financial organisations.  Many organisations are keeping excessive amounts of data, with little knowledge or ability to monitor the applicable storage and retention requirements. There have already been several enforcements in Europe linked to incorrect data retention by financial companies and we expect these to increase significantly in the future.  Companies will need to have much clearer mechanisms in place to ensure they are keeping the minimal amount of personal data for the appropriate period of time.  

AI and privacy considerations 

Although AI and machine learning have been around for some time now, their use has really taken off in recent years. More and more of our clients are now leveraging AI, and as its use becomes more prevalent, so too do the data protection considerations involved with its deployment. Furthermore, AI presents far more complex data protection issues due to the inherent lack of transparency of most algorithms and the increased use of automated decision-making. How these risks are managed will be interesting to see, particularly as the UK has now set itself the goal of becoming an “AI global superpower”. It remains to be seen whether individuals’ rights will be compromised in the pursuit of this goal.  

Data protection law is there to ensure that innovation occurs responsibly and respectfully, this is especially important with AI due to how integrated it is going to become in our everyday life and the types of decisions that it will be making about data subjects now and in the future.   

Responsible innovation is the new data strategy 

Customers are aware of their rights more than ever before, and they are far less likely to tolerate the misuse of their personal data. Data subjects not only understand their rights better, but are also more confident to challenge organisations. This trend is only going to continue into 2022 and beyond.   

Overall, the key data and privacy strategy for businesses in 2022 is to implement responsible innovation which builds trust, loyalty and engagement between them and their customers.  

GDPR, Data Protection Services for Finance & Insurance (dpocentre.com)

This is a Sponsored Feature.