No alt text provided for this image

Source: 5 key privacy trends for 2021

As organisations become increasingly reliant on the use of personal data, the risks they face grow exponentially.

We saw last year a record number of data breachesand a surge in penalties for regulatory violations, but 2021 is set to be even more perilous as the public demand for data privacy grows, COVID-19 scams continue and data protection laws get more complex following Brexit.

Here are our five key data privacy trends for this year.

1. There will be more public awareness of privacy rights

This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.

All of this information is helping consumers become more aware of their rights.

Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.

The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.

There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.

Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.

2. Brexit will continue to cause headaches

Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) â€“ which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.

For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.

Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.

3. We shouldn’t expect an adequacy decision imminently

Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.

For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.

But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.

Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.

In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.

The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.

4. GDPR enforcement will be more consistent

In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.

In some cases, the fines were miniscule, but in others the penalties were large.

It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.

We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.

Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.

5. Cookie laws will come under greater scrutiny

From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.

This is evident in the ÂŁ91 million fine levied against Google for its ad tracking practices, as well as the recent actions from Max Schrems and his organisation NOYB.

So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.

Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.

Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.

Meet your data privacy requirements with IT Governance

You can find out more about data privacy and the steps you must take to protect the information you process with our Privacy by Design Foundation Training Course.

One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.