My ultimate column of 2020 is in two portions. On this first section, I replicate on what a ordinary yr we’ve had – selecting out one of the vital highlights from a data legislation viewpoint. Partially two, I’ll be having a look ahead to what 2021 might convey.
In fact, 2020 has been fully ruled through the affect of COVID. It’s been a troublesome yr for such a lot of companies. And the pandemic has thrown up all types of knowledge coverage demanding situations. Most manifestly, organisations needed to adapt to new techniques of operating, which for many people has concerned operating from house. For employers, this resulted in a far higher emphasis on data safety – reviewing and managing the extra dangers related to homeworking, coaching a newly far off body of workers and making sure that just right behavior in knowledge governance are preserved. Because the emergency state of affairs previous this yr has given solution to a brand new ‘standard’, organisations now wish to be sure their inner insurance policies and procedures replicate this new fact.
The brand new standard additionally approach new sorts of knowledge collections. This comprises hospitality and retail firms wanting to procure monitor and hint main points, administrative center trying out for COVID, or even knowledge about members of the family when an worker is needed to self-isolate. A few of this information constitutes details about well being, which is a unique class. Organisations wish to take explicit care on this space, occupied with the lawful foundation for the knowledge’s assortment, suitable retention sessions and updating privateness notices.
In some circumstances, this has required knowledge coverage affect exams to be performed at velocity. This has been difficult for companies massive and small. The Executive has additionally confronted its personal demanding situations. Again within the spring, it pinned its hopes on its touch tracing smartphone app, however knowledge coverage and privateness issues nearly derailed the entire undertaking and resulted in a basic alternate of means.
Transferring clear of explicit COVID-related knowledge, the summer season’s primary row over A degree and GCSE effects resulted in the most important public debate concerning the use and doable abuse of algorithms, and their function in computerized decision-making. Even amongst knowledge coverage practitioners, it’s honest to mention the foundations round computerized decision-making weren’t broadly understood. This row introduced them to the leading edge of our minds, even supposing the selections to scrap effects through set of rules averted the ICO or the courts from ruling on their scope. Using algorithms is handiest prone to develop within the coming years, so that is one factor that’s not going away.
Clear of the pandemic, the legislation persisted to increase. Whilst (fortunately) there weren’t any primary legislative adjustments this yr, we now have had new case legislation. In April, the Preferrred Court docket issued its judgment within the Morrisons case. The Preferrred Court docket overturned the selections within the Prime Court docket and the Court docket of Enchantment, which had up to now held that Morrisons used to be vicariously liable underneath the Information Coverage Act 1998 for the movements of a disgruntled worker who intentionally leaked payroll knowledge of 1000’s of workers onto the web.
Information coverage circumstances infrequently achieve the Preferrred Court docket, so this resolution used to be vital. Employers had been happy with the outcome, even supposing the Court docket did confirm the main that employers will also be vicariously liable underneath knowledge coverage legislation for the movements in their workers (simply no longer at the information of this example).
This situation supplied a well timed reminder about coaching personnel to maintain knowledge accurately. In July, the Eu Court docket of Justice launched its judgment within the much-anticipated Schrems II litigation. The verdict invalidated the EU-US Privateness Defend and as soon as once more known as into query the legitimacy of global knowledge transfers. That is prone to be a large factor in 2021, in particular in mild of the Brexit adjustments forward – extra in this in my subsequent column.
In this kind of difficult yr, daily data governance paintings took one thing of a again seat. The ICO made an early and decisive observation that it might be giving organisations impacted through COVID further leeway, which used to be very a lot welcomed and unquestionably helped to regulate one of the vital preliminary pressures. However in spite of the demanding situations of the pandemic, the regulator’s paintings hasn’t stopped, and a few primary circumstances had been resolved.
In October, British Airlines and Marriott World in spite of everything won their much-delayed GDPR fines. As chances are you’ll be mindful, in the summertime of 2019 the ICO introduced its aim to high quality those firms £193m and £88m for critical safety breaches. Then again, the corporations made further representations and so the ICO needed to rethink its means. The fines issued had been hugely discounted in comparison to the unique notices of aim, with British Airlines receiving a high quality of £20m and Marriott £18.4m. Those are nonetheless massive numbers, however a lot less than to start with proposed, so in some way, British Airlines and Marriott accomplished a just right consequence. However, the generation of multi-million-pound knowledge coverage fines has in point of fact arrived.
The ICO has additionally been busy with new steerage. Practitioners have in particular welcomed new matter get entry to requests steerage. The brand new responsibility framework supplies a lot clearer recommendation at the paperwork and movements the ICO expects organisations to take to fulfill their responsibility responsibilities. In different places, regulators have greater the tempo of GDPR enforcement, from minimum fines to multi-million euro ones. For example, the CNIL in France just lately fined the Carrefour grocery store chain over €3m for more than a few infringements and Twitter used to be fined €450,000 through the Irish DPC. There’s a real understatement in that we’re getting extra examples from throughout Europe at simply the instant when those selections will stop to have an affect in the United Kingdom.
With the whole thing that’s came about in 2020, it’s simple to omit that the GDPR and the Information Coverage Act 2018 are nonetheless very new regulations. All people – companies, practitioners, the regulator and the courts – are nonetheless operating via new eventualities and new demanding situations. It has definitely been a difficult yr, with knowledge coverage problems by no means some distance from the headlines. In my subsequent column, I’ll glance forward at what 2021 might convey.