1. Know the scale of the beast you seek to tame
Perhaps the most critical thing you need to know about data in 2021 is the same critical thing you have always needed to know: what have you got, where is it, where did it come from, who is it going to, what are you doing with it, and what is your legal cover for all of that?
And if you do not know that, everything you need to do is so much harder.
2. Two become one
There will now be two versions of data laws.
At 23:00 on 31 December 2020 all the EU laws we know will effectively split themselves into two and one set which applies to EU related activities continues as we know today (EU Data Laws).
Another set (UK Data Laws) effectively matches the EU Data Laws, but with amendments to make them work on a UK only basis.
The EU Data Laws will continue their own path: the EU GDPR, all relevant regulations, directives and case law. At some point also the ‘new’ eprivacy regulation that was originally planned to coincide with the GDPR.
The UK Data Laws will begin their own path: the UK GDPR, the UK Data Protection Act 2018, various existing sets of Regulations (e.g. the Privacy and Electronic Communications Regulations) and existing EU case law, existing and new UK case law. Right now, it is unclear what the UK may do on eprivacy.
Over time the UK Data Laws will diverge from the EU Data Laws.
This means that from 2021 there are two separate regimes to comply with.
3. Keep data flowing
International data flows needing some form of compliance cover has been the situation for a long time - even before the GDPR. If you are a UK-based organisation, there are two key things that affect your international data flows in 2021: the Schrems II case and Brexit.
In July, the EU courts ruled that transfers made compliant by virtue of the Privacy Shield were invalid. This caused problems for Europe / US data flows. The reality of this is that if you have such a data flow as exporter, you need to be putting in place the EU’s standard contractual clauses for data export (SCCs). Cloud / web-based business are generally aware of the issues and did jump in the summer to fix things fast. But there is a whole raft of others who probably have not got there yet - for example, all those intra-group arrangements.
Schrems II was the same issue whether the export is from the UK or the whole of the EEA. And it is something that needs sorting regardless of what flavour deal the UK ends up with.
On top of the Schrems II housekeeping, UK organisations now also need to think about the legitimacy of their data transfers in/out of the UK after the end of the transition period (both to the EU 27 and elsewhere).
And of course, EU 27 organisations will need to think about their data transfers in / out of the UK too, because for them the UK will be a ‘third country’.
Based on the latest materials from the Information Commissioner’s Office (ICO), here is how the international transfers world looks for UK based organisations:
- UK to EEA: will not be restricted
- EEA to UK: no adequacy for UK so far, so sender in EEA will need to follow GDPR requirements (SCCs, binding corporate rules (BCRs), other permitted mechanic, etc)
- UK to outside EEA
- Existing adequacy will be recognised.
- Existing SCCs will be recognised (may need minor amendments to only apply to UK rather than whole EU).
- Existing EU BCRs will need to be re-authorised by ICO.
- Other mechanics and exceptions will be the same (EU GDPR and UK GDPR mirrored).
- Outside EEA to UK: cryptically the ICO say in relation to adequacy that ‘specific arrangements are being worked on’; anyway, it is up to the sender outside the EEA to comply with their local rules.
So as a matter of urgency, if there are data flows which are not compliant, these need to be fixed. The quickest way is implementing SCCs to plug the gap.
4. More Brexit
Other than the raw operational necessity of keeping the data flowing internationally in a post-transition period world, there are other compliance items tucked away in the UK GDPR and EU GDPR - specifically for organisations that trigger the extra-territoriality provisions which are triggered by targeting or monitoring behaviours. If they are triggered, there is some housekeeping to do around considering if the organisation has/will create an establishment or appoint a representative.
Whether these provisions are caught is a complex analysis and will also depend on whether the organisation is wearing its ‘processor’ or ‘controller’ hat. It is perhaps the one area where getting specialist advice is a necessity.
5. Transparency and accountability
Your organisation will have a few transparency and accountability documents which were ‘born’ out of the GDPR: internal policies and procedures, privacy policies, etc.
In 2021 you will need to watch out for these too - specifically that they take account of the split into UK Data Laws and EU Data Laws.
6. Regulators flexing their muscles more
The transition from old regulation of personal data to the new regimes with more robust powers and fining ability is now well established and the GDPR has become the template for many other countries around the world (e.g. China’s Personal Data Protection Law currently going through the legislative process is very much inspired by the GDPR).
There is some consistency of fines, with multi-nationals and / or high impact being fined eye watering amounts.
This will pick up speed in 2021, particularly as many governments will need to top up their coffers. Their focus will be on data breaches and things in the category of ‘creepy’.
Maybe the ICO will agree some form of accord with the AdTech industry, having been taken off that path in 2020 due to COVID-19.
7. Regulation of big tech looms
Big tech relies on data and around the world there are regulators sharpening their teeth.
In the UK we have seen the Competition and Markets Authority issue advice to the Government on the design and implementation of the UK’s new pro-competition regime for digital markets.
Specifically related to data, there is a recommendation for pro-competitive interventions to allow competition to flourish and unlock the potential for transformative innovation by others in the market. The CMA gives the specific example of ‘imposing interoperability requirements on tech firms and better enabling consumers to control and share data’.
A legislator can easily demand interoperability - but the reality is a huge challenge. But that is where things are moving, so from a design and build point of view, interoperability, standards and secure collaboration will be increasingly important.
8. Power of the person
There is an ever-growing constituency of highly aware data subjects who are actively interested in what is happening to their personal data and enforcing their rights.
This is also supported by the ICO with their Your Data Matters campaign.
If we now also throw into the mix the aftereffects of COVID-19 in 2020 and the sorts of data about individuals being gathered, it will be even more important in 2021 to have robust and properly documented procedures on how to identify and deal with an individual who wishes to exercise their data rights. There are also US-style class actions beginning to bubble up in the UK (e.g. one gathering people who are affected by the BA data breach). The ICO published extremely detailed new guidance on this in October 2020. Keep it handy!
9. The rise of the algo and its friends
There is so much to say about algorithms, machine learning and artificial intelligence (let us agree to call all these AI for short).
One of the things to watch out for in 2021 is how regulators may finally reach a level of understanding to start enforcing some of the more technical aspects of the GDPR around profiling and automated decision making.
In August 2020, the ICO published its Innovation Hub report which makes the ICO’s approach very clear: if a product uses AI, it must be explained to individuals. Explain-ability is the biggest issue in AI for 2021. There is extremely detailed advice on this, produced by the ICO in conjunction with The Alan Turing Institute.
After all this hard work by the ICO to understand and produce guidance, 2021 may see a more concerted enforcement campaign in this direction.
10. Black swans
There will be one. I guarantee it. Not general AI, but some kind of environmental levy for data centres maybe?