Data Privacy in 2016 – A Look AheadBy: Richard Beaumont | Monday, December 7, 2015 | Tagged: Data Privacy, GDPR, Privacy by Design, Privacy Impact Assessments, Safe Harbour | Leave Comment
2015 has been a big year for privacy. There has been an almost continual stream of data breaches, significant not just in sheer numbers of people whose data has been lost, but the types of companies and the serious nature of the data involved.
There have also been stories about abuses of personal information by perfectly legitimate and otherwise well-meaning organisations. Charities in particular came under scrutiny in the UK after it emerged that vulnerable people appeared to have been deluged with requests for money and contact lists of donor targets had been actively traded.
Data Protection Authorities have been flexing their muscles with increased confidence. In the UK the ICO has handed out record fines for cold calling and spam texts, and is asking a lot of questions of the UK data broker industry.
We have also seen the unravelling of the Safe Harbour regime as a result of the Schrems decision, threatening the significant flows of data from the EU to the US. The issue of surveillance, and particularly the mass retention of data for use by law enforcement and national security services, remains a hot topic.
Of course, overshadowing this all, or perhaps encompassing it, has been the continued negotiations around the EU General Data Protection Regulation (GDPR), and the will-they-won’t-they questions about their conclusion by year end.
So what can we expect next year? These are my three to watch out for.
The New Safe Harbour
At the beginning of the year, there will be a lot of focus on whether or not agreement is reached on a replacement to Safe Harbour, struck down by the EU Court of Justice in October. The Article 29 Working Party set a deadline (PDF) of 31 January for negotiations to reach a conclusion. What is not clear is what will happen if they don’t. Although there has been talk of co-ordinated action, there are already differences appearing in the approach taken by different EU Data Protection Authorities (DPAs). If a new agreement is not reached, we are likely to see a range of different actions by regulators that may have large organisations fighting battles on multiple fronts.
The EU GDPR will of course be the headline act of 2016. With the final agreed text expected to emerge at the beginning of the year, the focus will switch from talking and writing about the potential impacts, to the actual business of getting compliant with the new rules.
Larger companies with complex data protection needs may be hard pushed to introduce comprehensive changes within the anticipated two year adoption period, although many have taken the first steps already.
However, the biggest impact may be in the SME and mid-size company sectors. These organisations may find themselves being required to do a lot more than they have before, with greater risks of getting it wrong. Budgets will be tight, and on the ground experience much in demand. They also may find that there is no time to sit back and wait to see what the rest of the market does before responding.
Privacy Impact Assessments and Privacy by Design
The GDPR puts a lot of emphasis on the justification of decisions made by organisations about the use of personal data. It requires not just that the interests and rights of individuals are respected, but that they can be shown to be respected.
With this in mind it requires organisations to use the tools of Privacy Impact Assessments (PIAs) and Privacy by Design (PbD). Whilst both of these have been around for a few years, the GDPR really thrusts them into the spotlight. Expect to hear a lot more about them, including new technologies and solutions for applying them.
PIAs are already operational processes for larger companies, however they are often ad-hoc and informal. We expect them to become much more formalised and to see a much larger range of organisations carrying them out in much larger numbers. PbD is a bit more like a set of ideas for how to build systems than any kind of operational tool at this point. However the new discipline of Privacy Engineering is looking to change this. We think there will be a raft of new tools using the PbD label in some way, though the quality and effectiveness is likely to vary widely in the early stages.
Whatever happens, the data privacy field in 2016 will be anything but dull.