2021: Practical privacy predictions for the new year
As the omnishambles that was 2020 fades in the rearview mirror, the reality of 2021 is that businesses have less room for manoeuvre in avoiding legal pitfalls.
2020 drastically and permanently changed the way we live and work: this has major consequences for data privacy. We summarise these in 5 predictions for 2021.
1. A continued relaxed approach to enforcement
We’ve spoken with Captain Obvious, and he confirms that the pandemic is nowhere near over. Businesses must continue to contend with the fallout. Helpfully, the ICO (the UK data privacy regulator) is still committed to an “empathetic and pragmatic” approach to enforcement. In practice, the ICO understands that compliance with data privacy law isn’t as high priority as usual.
This doesn’t mean you can get away with non-compliance: it means that if non-compliance is genuinely caused by the pandemic and not your own failure to prepare, enforcement will be less severe.
2. More legislation and regulation
Aside from the new UK-specific GDPR, 2021 will bring significant legislative and regulatory developments:
— The Age Appropriate Design Code comes into force in September. This will dramatically increase the compliance burden facing organisations which offer online services for children.
— Hopefully, by the summer, the UK and EU will agree that UK domestic data privacy law offers the same level of protection to individuals’ privacy.
— Companies will need to think about how to comply with the ICO’s new Code of Practice on data sharing.
— We should get more clarity on the legal regime governing international transfers of personal data from the UK not just to Europe but to other jurisdictions around the world.
3. More court claims
The UK GDPR makes it easier for people to claim damages in court where your breach of data privacy law impacts their personal data. There are three particularly worrying trends we’ve seen in the UK:
— Financial loss is not necessary to claim damages. Claimants can recover for concepts as simple and intangible as distress arising from the knowledge that their personal data has been the subject of a breach.
— As in personal injury claims, you must take your victim as you find them. If an individual has a pre-existing condition that would exacerbate the impact of your breach – for example, worsening their anxiety – you will be liable for the additional harm.
— A person can bring a prospective action on behalf of a group (i.e. without needing to organise a collective action). This will embolden potential claimants who might otherwise be put off by legal spend.
4. Increased cybersecurity threats
The pandemic – and in particular our mass online migration – has resulted in a huge uptick in cybercrime. The work-from-home ecosystem remains immature. The reality is that networks and systems are being stress-tested more than their designers ever imagined, and for now solutions are only temporary. There are weaknesses for malicious actors to exploit – both external and internal.
The latter is particularly interesting. We have been instructed on matters where, feeling that their job security is at risk (whether credibly or otherwise), individuals have stolen personal data to use as a bargaining chip or to try and make money elsewhere.
In particular, organisations which outsource IT functions need to ensure that robust data processing agreements are in place which applies sufficiently strict standards to service providers and make recovery as easy as possible.
5. User awareness and caution