Question one – Challenges
What do you see as the biggest challenges for data privacy in your jurisdiction during the next decade? Is technology a factor?
Uncertainty provided by Brexit extends to data protection. At the time of writing, the provisions of the GDPR are still in force. This position, however, may be liable to change as a consequence of Brexit.
While unconfirmed, the UK government has announced that it intends to adopt the provisions of the GDPR into domestic law following Brexit.
Further to the requirement for UK companies to comply with the future provisions of domestic law, the data protection position with the EU will also pose a significant challenge. This is because, if Brexit occurs, the UK will, as things currently stand, be deemed a third country for the purposes of data protection, which will require the implantation of safeguards or application of a derogation when UK and EU companies wish to transfer data to each other. This most practical solution for the majority of UK and EU businesses will be to enter into Standard Contractual Clauses, although this has the potential to cause delays for businesses as they rush to enter into these before communications between the UK and EU continue.
As this will be a new position for entities based in the UK, there will be a challenge in the months and years following Brexit to ensure that compliance is achieved both on the domestic front, the EEA front and an extra-EEA front, heightening the regulatory burden on these entities. Many of our UK clients with an international element to their business have already started preparing as best they can for this, but the uncertainty surrounding Brexit and the data protection landscape post Brexit certainly isn’t helping
Question two- Enforcement
How is enforcement of data privacy breaches keeping up with the rapidly changing regulatory environment. What are the trends you are seeing in your jurisdiction?
Since GDPR came into full force on 25 May 2018, the attitude towards data protection and individual’s rights to privacy in the UK has shifted dramatically. With the EU-wide attention the new legislation gave to privacy laws, many individuals and businesses that hadn’t given it a second thought in the past, now have a fresh concept of data protection at the forefront of their minds.
There have been many high profile breaches and investigations in the UK, with the UK’s regulator, the Information Commissioner’s Office (ICO), handling almost 6,500 cases relating to data protection in the past 12 months and issuing notices of intention to fine where appropriate. The two stand out notices were received by Marriott International (£100m) and British Airways (£183m).
The implementation of GDPR with its strengthened requirements for organisations to report personal data breaches has resulted in a significant increase in reports received by the ICO; up to 13,840 in 18/19 compared to 3,311 in the year before. Complaints sent to the ICO also rose steeply with 41,661 complaints being received in 18/19 against 21,019 being received in 17/18.
The ICO has a clear strategy for keeping up with the increasing regulatory requirements; it has hired more case handlers with staff growing to 700 from 505, improved the ways in which it resolves cases enabling it to close two-thirds of cases within 30 days, and the creation of a new executive committee with a remit for technology strategy to ensure the ICO can maintain its reputation as being at the forefront of data protection regulators.
Question three- Unification
The European Union’s General Data Protection Regulation (GDPR) was the big data privacy story of 2018. What has been the impact of this in your jursidction are you now seeing greater efforts at international cooperation?
Considering the scope of the potential penalties under the GDPR, many companies took swift action to ensure compliance with its provisions. The data protection landscape has unrecognisably changed with many of our clients now reserving a space on their board meeting agendas for data protection and compliance. Not only are companies weary of the potential fines under GDPR, they are also now aware of the significant damage that can be done to brand and reputation for breach of data protection laws, especially those companies that provide software or technology which is heavily reliant on personal data.
Swathes of consultants advertising GDPR and data protection compliance skills began to pop up in the year leading up to 25 May 2018, the implementation of GDPR created a mini industry of its own.
On all of our deals, whether domestic, international or where inward investment is being made into a UK business, we have seen increased attention being paid to whether or not the target is compliant with GDPR. Often, where the target has compliance shortcomings, we will find that investment will not be made unless improvement is made as the investors do not want to risk their money being used to satisfy a fine. Many transactions will also now include extensive data protection due diligence, warranties and where there is particular concern, indemnities. However, some practitioners try to use GDPR as an excuse for inclusion of indemnities, which should always be resisted.
The extra-territorial scope of the GDPR has certainly increased international co-operation when it comes to data protection with the principles being recognised by many of our non-EU clients and network.
One area to watch on the international stage in the future will be the interplay between the Western world’s attitude to data protection compared to that of countries where data protection is a foreign concept and the impact this may have on the Western world’s ability to keep up with technological advances in fields such as Artificial Intelligence.