By Aim's data protection experts

January 2022

 

As a consultancy specialising in all things data driven, including data protection consultancy and tooling, we noticed a surge in interest in the management of personal data after the introduction of the GDPR in 2018. Over the next couple of years there was continued need for our services in this area, but things had plateaued. Skip forward to now and based on the number of enquiries we receive, it’s clear there’s a renewed interest in personal data management. So, what, if anything, is driving this renewed focus? Whilst there can be no one thing, we can look at a few likely candidates. Not all are data protection specific, but they all have links to personal data management and processing and are developing at superspeed.

 

First, it’s worth considering the significant number and high value of data breach fines. Whilst it’s possible these are driving interest, in reality most companies have been aware of these for a long time and implemented solutions to reduce the risk at a very early stage, so it’s unlikely to tell the whole story.

 

So, what else?  Let’s consider some newsworthy items that may be factors. There’s the increasing pace of introduction of new regimes around the world, including China’s Personal Information Protection Law which came into law in 2021 and demonstrates China’s focus on facilitating global trade by ensuring data privacy. At the same time the Schrems II judgement in the EU invalidated the EU-US Privacy Shield and made data transfers to the US problematic. This could be compounded by a recent ruling in Germany restricting the use of US based cookie management solutions, which store data in the EU. The problem here is that they use IP addresses, which the GDPR sees as personal data, and whilst the data is stored in the EU, US law says that this data can be requested by US security services. The likelihood is minimal, but it shows how seriously the EU is taking the threat to personal data posed by third party governments, and consequently, similar rulings are likely to follow.

 

Whilst it does not focus specifically on data protection, there are also ongoing discussions about the use of AI and potential harm to data subjects. The EU is considering legislation similar to the GDPR and the introduction of fines of up to 6% of annual turnover. For now, perhaps this isn’t a big issue but at the rate technology changes, it’s likely to be a factor sooner rather than later. Linked to the concept of purpose limitation and unauthorised use of data, the furore around Cambridge Analytica’s use of personal data for targeted marketing made people sit up and take notice, and this aspect of the use of data is only likely to increase as companies strive to target the sale of their products and services, and there’s the use of “dark patterns”, which can manipulate users into buying or using services they might otherwise not engage with. Data is a very valuable commodity, and its value is increasing significantly as organisations develop the tools to create models that make use of every piece of data they hold.

 

Finally, there’s an increasing focus on the GDPR basics like data protection by design and default, especially the latter which focuses on what an organisation does day to day, which is a vital part of a company’s ongoing compliance strategy. And there’s the requirement for organisations to complete due diligence on their processors and consequently how this is managed, which has generally been completed using questionnaires and discussions; however, this just gives a snapshot of where a provider is at any moment, and not how that compliance changes over time, so new tools and techniques will be developed that will challenge existing processes and lead to organisations being much more dynamic in their personal data management.

 

Although the above examples are only a fraction of what’s appearing in the news and of the changes that are occurring, it’s clear to see how the landscape is changing rapidly and why organisations are requiring the assistance of data experts like Aim Limited in order to stay one step ahead from both a compliance and service development perspective. So if you haven’t looked at your systems or processes for a while, you should consider whether you’re being exposed to risks you should really be considering.

 

 

More:

• For information about our data protection services, please click here.
• Free GDPR and Data Protection Self-Training Videos - Understand the importance placed on the security of personal data in a technologically complex world with our set of videos accessible here.