For those of us watching every development there’s never been a more interesting time in data protection and privacy. It’s been a long journey since the GDPR text was finalised three and a half years ago – 2017 was all about preparing, early 2018 the panic set in, and then post May, we waited for what would happen next. 2019 has been a year of delving into the detail when European regulators have taken action, pondering the diverging views on cookies, facial recognition privacy worries and the near collapse of the proposed ePrivacy Regulation.
What do our esteemed DPN Advisory Board believe is in store for us next year?
Robert Bond – Partner at Bristows LLP & DPN Chairman
2020 will see data protection become a key compliance and ethics issue for business and government. Data governance will help build trust in the value exchange between controller and data subject. The ICO will continue to balance guidance with enforcement, but there will be more noticeable tribunal and court activity around breaches and loss of control of personal data.
Simon Blanchard, Senior Associate, Opt-4 & DPN Deputy Chair
As the growth of personal data continues to drive benefits for consumers and advantage for businesses, so data privacy and security will increasingly become a greater focus for businesses. I expect enforcement to grow across the EU, so wise businesses will ensure they have strong governance in place to protect those whose data they process.
Dominic Batchelor, Head of IP and Privacy, Royal Mail Group
Having shown their willingness to impose substantial penalties for security breaches, it’s unlikely to be long before the ICO takes comparable action against other forms of non-compliance, particularly considering their interest in how users of social media can understand and control the use of their data and the precedent set by the Berlin authority in relation to data retention (remember – the Commissioner began her career in archiving!).
Michael Bond, Group Data Protection Officer, News UK
2020 will be the year of the code of conduct. Small and medium sized organisations will benefit the most from clearly defined standards that help to achieve compliance under the GDPR (perhaps in adtech?). Organisations will continue to grapple with data governance as a driver of consumer trust, and privacy laws in the USA will continue to hit the legislative agenda.
Sara Howers, Data Protection Officer at CGI I.T. UK Limited
It’ll be interesting to see if the German proposed codified fines calculator is adopted across the EU. (Personally I hope not as I don’t think it allows the local DPA, such as the ICO, to take their more holistic and pragmatic approach). I think more fines will be raised around breaches of “Accountability” and “Privacy by Design”.
Matthew Kay, Data Protection Officer EMEA Thomson Reuters
I think the uncertainty around Brexit will see data controllers operating within the EEA raising concerns about the storage of data within the UK by data processors until a deal is agreed. That being said, I do think companies are reaching a position of steady state in many compliance areas such as management of individuals rights. However, I think historic challenges around records management will continue to effect organisations’ overall compliance in understanding exactly what data they hold, how this can be processed and used and how long it can be retained. This could see organisations struggle to demonstrate compliance with the accountability principle of GDPR when required.
Charles Ping, Business Leader, Advisor, Consultant & NED
2020 will be the year that GDPR gets real for the ad tech sector – but you don’t need a crystal ball to work that one out. However a combination of forces may create an existential crisis for some practices (and potentially the players) in the adtech space. The adoption of properly engineered pseudonymisation will grow as content creators and brands get closer together, disintermediating the adtech food chain in search of compliant solutions. Data retention practices will come under scrutiny, and this will create a further challenge to custom and practice. I have a hope that in the absence of a quick resolution to the ePrivacy Regulation some European acceptable practices can be agreed, especially around cookies. Multi-territory clients are poorly served by some of the current divergence.
Julia Porter, Senior Associate Opt-4, Board Director & Business Advisor
I expect the ICO to step up their activity in the ad tech space. If there continues to be low level of engagement from some sectors of the advertising community, I expect some high profile investigations to be launched. It will become apparent that Brexit is going to be very challenging for the privacy community as it emerges that achieving “adequacy” is not a shoe in. I’m not holding my breath about the e-Privacy Regulation although it would be most welcome so that we can resolve some of the inconsistencies in interpreting the existing legislation around Europe, with the UK ICO taking a particularly hard stance over analytics and tracking relative to some other territories.
And finally, our predictions wouldn’t be complete without a view from across the pond…
Christopher Field, Head of Privacy, Harte Hanks, Inc.
2020 will bring further convergence of the information privacy and security standards imposed upon multi-national companies. This is especially true for those operating in the U.S. While the ongoing political divide and presidential election in the U.S. are likely to stall efforts to implement a federal information privacy law in the U.S., the California Consumer Privacy Act (CCPA) will continue to impact multi-national organizations operating across the U.S. As their CCPA compliance efforts progress and mature in 2020, these organizations will better understand the impact of not having personal data available to support their business and continue to seek cost-efficient, effective means to supplement their compliance efforts. Strategic organizations will resolve the ethical dilemma of supporting privacy rights differently across their customer base rather than based on where their customers live. These organizations will clearly establish the “value” of their customer’s personal data and fully appreciate the impact of not having such data available in support of their objectives. Such organizations will better position themselves to make informed decisions about offering their customers tiered products or services which do not rely upon the use of personal data and financial incentives in exchange for the right to use their personal data in the future. Across the board, organizations will continue to move their internal operations towards more efficient and effective compliance solutions across their data flows. These efforts will include the consolidation of the personal data, and any expressed choices related thereto, across disparate partners, affiliates, departments, systems and data stores.
All the best for 2020!
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.