Data compliance: 2019 and beyond (some predictions)

From a data compliance perspective, 2018 has been quite a year thanks to the General Data Protection Regulation (GDPR).

Christmas Day will mark 7 months since GDPR and the UK’s Data Protection Act 2018 (implementing the GDPR) became law in the UK. The run up to the GDPR d-day in May certainly bought data protection to the forefront of most people’s minds across the UK (whether business or consumer), what with the mass “consent” panic in the lead up to the deadline. Of course data protection compliance is more than just about consent as the lawful basis for processing but it still remains probably one of the most misunderstood aspects of compliance particularly where marketing is concerned. Coupled with continual reports of significant data breaches, ICO investigations (remember those ICO enforcement flack jackets?), the Facebook/Cambridge Analytica scandal, further Facebook data processing revelations and reports of the misuse of data in political campaigning, it’s been quiet a year indeed!

Of course, in the digital compliance space, data protection and GDPR is just one aspect of what compliance looks like and with 2019 just round the corner, what can we expect next year? So, here’s the Hub’s predictions for some of the things we might see in 2019 when it comes to digital and data compliance.

GDPR enforcement

Despite the GDPR being around for just over half a year, most of the ICO investigations have related to incidents that took place pre-GDPR, and so a lot of what we’ve seen (e.g. Facebook’s £500k fine, Uber’s £385k fine, etc.) has been under old data protection regulation (i.e. Data Protection Act 1998). So, it is inevitable therefore, as the ICO catches up with its investigations that we’re going to see GDPR related enforcement at some point in 2019 – this will give us the first indication about enforcement in the UK under GDPR with its larger penalties.

The ICO have indicated in the past that the €20m GDPR penalties are unlikely to change the financial penalties enforced in real terms – that of course remains to be seen.

More breaches

As well as being a year for GDPR, 2018 seems to have seen a marked increase in reported cyber/data-breach incidents across the world. It’s not clear whether this is due to the continuing rise in the use of tech across industry (with tech comes data usage and processing), the general awareness of data protection (thanks to the GDPR this year) a general realisation that organisations are doing things with our data in ways we hadn’t realised (or read in the small print) and are being found out or maybe it’s simply that hackers are getting cleverer (or organisations weaker) at cracking security. Some suggest that GDPR has introduced a new culture of data breach whistle-blowing.

It’s unlikely this momentum is going to stop in 2019 and will act as a driver for organisations to look more closely at what they’re doing with their business (and their customers’) data and maybe for their customers to vote with their feet to organisations that can demonstrate better compliance and trustworthiness…

Data compliance as a USP

This year the ICO’s “trust” report indicated that there was a slight increase in trust around how organisations process data (that might change in next years report, what with the continuing revelations about Facebook and awareness of breaches), although that seemed to contradict the Edelman Trust Barometer which continues to indicate a continued decrease in trust of businesses and organisations and governments.

So, might 2019 be the beginning of an era of where data protection compliance and ethical data/tech (see below) drives competitive advantage in businesses. Will consumers move their custom to business who have clean records of data compliance health or who indicate how responsibly they process data? Could we see the transparency around data use and processing being more than a GDPR-compliant cursory discussion in privacy policies linked from the bottom of web pages and be more upfront (and by that, we don’t mean intrusive web page pop-ups)?

There is a clear competitive advantage for any business that looks as data compliance as a unique selling point and a way to beat the competition – maybe in 2019 business will start realising that data compliance is as much an advantage than a regulatory (and perceived costly) burden.

The rise of ethics

As well as compliance as a competitive advantage in 2019, we may well see a rise in ethical data and tech. As the culture of ethics spreads increasingly amongst the general public in other areas, be that the rise of Veganism, concerns about how employers treat their employees, etc. we may well see a shift towards data ethics paying a significant driver in the way organisations collect, process and manipulate data and with the “fourth industrial revolution” in full effect and the rise of AI causing us to ask more questions about what is ethical data processing than problems AI solves, “data ethics” has a big role to play in 2019.

Whether it’s considering how to code out bias in AI algorithms or configuring robots or driverless cars to make life-affecting decisions, there’s some tough questions that need answering about just how our data is being used and how outcomes are being driven from code processing data and machines learning.

More from the Hub in the new year about ethics and how digital or data compliance is more than just about satisfying GDPR compliance or data protection regulation.

Brexit

No matter if you’re fed up with hearing about Brexit in the news or tired of phrases like “backstop”, “hard borders”, “remainers”, “Brexit means Brexit” and “no deal”, there’s no doubting that Brexit will play a significant part in our lives in 2019. And not just in a general sense – it has some pretty serious implications in the data compliance field too.

The ICO recently published some helpful guidance about Brexit and what it means for data protection compliance: if/when we leave will the GDPR still apply? How will leaving impact our position if we process European’s data? If we operate in Europe will we need representation in Europe? What will a no-deal mean? Maybe overall we won’t know until it happens (or doesn’t happen) but one thing is for sure what you do with data, particularly EU data will be impacted and Brexit has important implications for UK data protection in the (near) future.

Consumer activism

The Morrisons case has shown that even if your data compliance is squeaky clean, even incidents outside your control can lead to legal headaches. It also highlights that with the right “legal” push individual citizens, aware of their rights (the fact that the GDPR allows for civil damages) to seek damages. So whether you’re compliant or not, we could see a rise in civil liability cases where consumers/citizens are exercising their rights and suing for damages, assuming Morrisons don’t win their second appeal.

More clarity

Pretty much a given. As 2019 rolls on, we’re going to see more guidance from the ICO and the government around the use of data and associated compliance. We’ve already had a flurry of new pieces of guidance from the ICO over recent months and it’s (hopefully) set to continue into the new year.

e-Privacy

We’ve been promised new e-Privacy regulations for the last couple of years. Improved cookie controls and maybe changes to the consent mechanisms for digital marketing, but we’re still waiting. The new e-Privacy Regulation was due to come into force at the same time as GDPR but it never materialised and is currently tangled up in debate, changes in presidency of the EU as well as changing EU priorities. Some question the need for a new regulation and indeed there is a lot of uncertainty about what might happen when we Brexit in terms of how the regulation is implemented in UK law (if at all)  – the ICO thinking is that it is unlikely the e-Privacy Regulation will be here before Brexit.

If we’re honest, this one is difficult to call as a prediction for 2019 – there’s as much of a chance of it not happening at all (in which case the UK’s Privacy & Electronic Communications Regulations will still apply) as it being rolled out across Europe with the complications of what that will mean in a post- Brexit UK. But it remains an area to keep a watching brief as it could impact how businesses utilise cookies, tracking pixels, etc. and what consents are required for email, SMS, messenger and other digital marketing.

Bring on 2019!

So, no matter what 2019 brings for your business or organisation, we hope 2019 is a great year for you and a great year for digital compliance.  Either way, the Digital Compliance Hub will be here, continuing to support its members as well as welcoming new members, as we continue through 2019 and beyond providing the support and help that businesses and organisation need to make sure they’re compliant and ahead of the competition.