2016 was undoubtedly a tumultuous year politically with ramifications in the data protection arena, so what’s on the horizon for 2017? Here are some thoughts from the Data Protection Network ….
Robert Bond – Head of Data Protection and Cyber Security Group at Charles Russell Speechlys & Chairman of the DPN Governance Board
I have three predictions for the coming year. Firstly, there will be a frenzy of activity around GDPR in part driven by third party Vendors believing technology will be the solution and in part by legal and compliance realising there is a lot to do in order to comply. Secondly, consumers will use their data subject rights to go after non-compliant data controllers and then “ambulance chasing” lawyers will start bringing compensation claims for aggrieved and emotionally harmed individuals. Thirdly, “AI and machine learning” will replace “cyber” as the buzz words.
Sara Howers – Global Privacy Officer, Haymarket Media Group
I predict growth in the following areas; DPO/GDPR courses, DPO “magic bullet” software (yes, we can solve all your GDPR problems), DPO recruitment services and Russian data centres. I also see the length of the DP wording in Staff Contracts expanding and a proliferation of PIAs (playing catch up). On the other hand, I predict a contraction in the following areas; small data processor operations/companies (who can’t afford £15 million fines), lists being available for rental and the numbers who makes it onto the Accepted Data Vendors List. Furthermore, less data will be stored as its deleted to reduce risks and data retention policies will be tightened.
Michael Bond – Data Protection and Privacy Advisor, News UK
As organisations get to grips with the GDPR and regulatory guidance bubbles to the surface, organisations flock to automated tools to demonstrate accountability and for the first time, many understand just how much data they have – those same organisations also quickly put in place robust retention policies to limit the amount of data they hold. Privacy Shield’s validity as a data transfer mechanism is successfully challenged, throwing international transfers into chaos, once again.
Julia Porter – Board Director and Business Advisor
GDPR consultants are going to be busy as panic sets in around readiness for GDPR. In particular, the guidance around profiling is likely to be a shock to many. Businesses offering services to incentivise people to share their data will proliferate whilst opt-in statements will become crucial marketing tools if companies don’t want a collapse in rates of data capture. The UK government will need to demonstrate adequacy to EU in the strength of our data protection arrangements to still trade in Europe. However, we’re now in a weaker position to influence EU’s views so some will feel very unpalatable.
Lara Bonney – Managing Director, Epsilon Abacus
2017 will be the year when companies move from ‘how do I collect as much data as possible?’ to ‘how do I collect unambiguous permission to use this data?’. Online or offline, organisations need to be open, honest and more engaging with consumers to gain trust and permission around the use of their data. Sharing data with third parties can have real benefits for consumers. Going forward, permission statements need to evolve, highlighting the value exchange to them of sharing their data, rather than simply confusing consumers with legal-speak.
Rosemary Smith Director Opt-4 & DPN Co-Founder
Santa has brought us an early Christmas present which is the leaked version of the EPrivacy Regulation text. As GDPR preparations get underway, organisations will also have to wrestle with the potential impact of EPrivacy reform including tougher requirements for cookie consent and an extension of the law to cover social and other electronic messaging.
Meanwhile, I predict further pain for charities as the ICO continues to give their fundraising efforts unwelcome attention. Perhaps the sector will take Dutch courage from the Christmas sherry and begin to make a better case for legitimate donor communications? As guidance on GDPR emerges like a star from the East of Manchester, businesses will finally realise that time is running out for implied consent. But what they really want under the Christmas Tree is a viable alternative. Could 2017 be the year of “legitimate interests”?
Published December 2016
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.