Data privacy and protection remain core responsibilities for all organisations that process personal data, but how do we expect compliance to change in the coming months?
Here are what we think will be some of the most significant data privacy and compliance trends in 2022.
The new information commissioner, John Edwards, began his five-year term on 4 January, taking over from Elizabeth Denham. Edwards, the former privacy commissioner for New Zealand, said: “Privacy is a right not a privilege. In a world where our personal data can drive everything from the healthcare we receive to the job opportunities we see, we all deserve to have our data treated with respect.
“My role is to work with those to whom we entrust our data so they are able to respect our privacy with ease whilst still reaping the benefits of data-driven innovation. I also want to empower people to understand and influence how they want their data to be used, and to make it easy for people to access remedies if things go wrong.”
Edwards’s appointment is unlikely to mark any significant change of approach from the Information Commissioner’s Office (ICO). However, as the press release that accompanied the start of his tenure observes, 2022 will be “a busy year for information rights in the UK”.
The government’s consultation on the Data Protection Act (DPA) 2018 and UK General Data Protection Regulation (GDPR) should report in the first quarter of the year, potentially marking the beginning of the UK’s divergence from European Union (EU) data protection law.
Whatever reforms are enacted, it is worth remembering that the EU GDPR’s scope extends to all organisations that offer goods and services to, or monitor the behaviour of, EU residents.
Organisations in the UK can process EU residents’ personal data because of an adequacy decision issued in June 2021, which recognises that UK data protection law affords EU residents’ personal data a suitable level of protection. However, the adequacy decision can be withdrawn if UK data protection law deviates from the EU GDPR to a significant extent.
If this happens, data controllers and processors in the UK could find themselves with two markedly different data protection regimes to contend with, as well as having to rely on other mechanisms to process EU residents’ personal data, such as standard contractual clauses (SCCs) or BCRs (binding corporate rules).
Other incoming legislation to be aware of includes the Online Safety Bill, which aims to tackle harmful online content.
Meanwhile in the EU, a new wave of legislation is also due:
Accompanying this new tranche of European legislation, we expect to see an increase in enforcement action across the EU, continuing the trend in growing GDPR enforcement.
In 2021, there were at least 429 fines issued under the EU GDPR and UK GDPR across the EEA and the UK – a 40% year-on-year increase. Note that not all data protection authorities publish information about the action they have taken, so we do not know about all fines that have been issued.
These fines totalled more than €1bn (just over £900m) – a 602% increase on the value of 2020’s fines.
Most GDPR fines in 2021 were for breaches of Articles 5 (data processing principles), 6 (lawfulness of processing), 13 (information to be provided to data subjects when collecting their personal data) and 45 (security of processing).
This regulatory focus on technical compliance is a timely reminder that it is not just data breaches that controllers and processors must prepare for – it is equally important that they can demonstrate their compliance with the law.
As we recover from the pandemic and the data protection authorities clear their backlog of cases, we can expect to see a further increase in regulatory action under the GDPR and other laws in 2022.
In particular, we anticipate that international data transfers will come under greater scrutiny, especially for those organisations that use SCCs.
The European Commission issued new SCCs in June 2021, which must be used in all contracts from December 2022. The new SCCs were required in all new contracts from September 2021.
The UK and EU are not the only ones introducing new legislation in 2022. New data protection laws in China and India, federal laws in the US, and revisions to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will all keep data protection compliance on board agendas around the world – especially for those organisations that process personal data from different territories.
Data localisation, or data residency, is the legal requirement for data to be processed in specific countries. For instance, the EU GDPR restricts the processing of EU residents’ personal data to non-EU countries in which it is afforded an appropriate level of protection.
Where this becomes problematic from a compliance point of view is the use of cloud services, which often entails international data transfers.
Meeting your compliance obligations, whether new or old, will require a renewed focus on supply chain due diligence. If you are a data controller, you are responsible by law for the security measures applied by any processors that act on your behalf.
Finally, the question of whether the use of distributed ledgers could be squared with the GDPR has been asked since the regulation took effect, but as personal data is increasingly processed in new environments, blockchain is not the only technology that requires further consideration from a data protection point of view.
As machine learning and artificial intelligence (AI) become more prevalent, and virtual environments such as the metaverse grow, we expect them to receive more attention from the data protection authorities.
If you use these environments, you will undoubtedly face new cyber security and privacy challenges, and, increasingly, your compliance obligations will become more onerous.
The CHIPS and Science Act allows the U.S. to invest in critical technologies such as quantum computing and artificial …
CIOs should help evaluate management goals to support long-term strategy. Learn how IT can assist business objectives and justify…
Creating a safe metaverse experience means bringing all stakeholders to the table, according to experts.
Microsoft warned that two unpatched zero-day vulnerabilities are being exploited against Exchange Server, a problem that’s …
Cisco Talos researchers spotted a new wave of phishing attacks that target job seekers in the U.S. and New Zealand, infecting …
Palo Alto Networks’ Unit 42 says attackers are using decoy Microsoft Compiled HTML Help files containing multiple file formats to…
Enterprises need integrated security and networking frameworks to manage distributed IT environments and are looking to SD-WAN …
Automated pre-change network validation with Batfish can save time in the network change management process and minimize …
Valmont Industries wants an agile WAN that the company can modify in days instead of months. The global manufacturer is testing …
File server reporting within File Server Resource Manager can help admins identify problems and then troubleshoot Windows servers…
Administrators who manage many users can go one step further toward streamlining license assignments by taking advantage of a new…
ServiceNow doubled down on its commitment to take the complexity out of digital transformation projects with a new version of its…
DataOps is a growing tool for organizations looking to efficiently distribute accurate data to users. Learn the DataOps trends …
More organizations are turning to DataOps to bolster their data management operations. Learn how to build a team with the right …
Moving from an on-premises data system to the cloud can be a complex operation. Lufthansa is looking to remove some of the …
All Rights Reserved, Copyright 2000 – 2022, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info