2022 was a very eventful year for data protection and privacy compliance (if you’re feeling nostalgic, we covered the main events in our monthly bulletins HERE). 2023 shows no signs of slowing down, with even more impactful developments on its horizon, promising to reshape UK privacy and data protection compliance.
Here are five developments, forecasted to change the game for us data practitioners this year;
UK Adequacy Decisions
After previously agreeing–in principle–to a data adequacy agreement in July, the UK government announced the completion of a full assessment of the Republic of Korea’s personal data legislation on the 23rd of November. They determined that the country’s privacy/data protection laws sufficiently protect the rights of data subjects if their personal data is transferred there.
The legislation was approved by parliament and came into force on 19 December 2022.
While this was the UK’s first data adequacy decision post-Brexit, there are likely to be more in 2023. Under its ‘Data: A New Direction’ strategy, the Information Commissioner’s Office identified the following countries as ‘top priorities for an adequacy decision: The United States of America, Australia, Colombia, Dubai International Financial Centre, and Singapore. India, Brazil, Indonesia, and Kenya were also identified as ‘longer term priorities’.
In October last year, the US government released the EU-US Data Privacy Framework, as a new, GDPR-compliant, medium for personal data transfers coming from the EU.
In December, the European Commission formally began the process for the adoption of an adequacy decision for the US. This was decided because the Framework sufficiently remedied issues that previously resulted in the European Court of Justice nullifying the two previous frameworks for EU-US data transfers (Safe Harbour and Privacy Shield).
The next steps are for the European Data Protection Board (“EDPB”) to determine whether the new EU-U.S. Data Privacy Framework provides an equivalent level of protection for personal data transferred from the EU to U.S. companies. If all that wasn’t enough, a committee of member states will then need to approve the decision while the European Parliament provides oversight. Finally, the EU Commission may adopt the final adequacy decision. The adoption process for the EU-U.S. Data Privacy Framework is expected to take around six months, subject to any legal challenges in court.
When it comes to data privacy, no stone is–quite rightly–left unturned.
UK Data Protection and Information Bill
After a year of consultations, the UK government finally laid its data protection reform bill before parliament, the Data Protection and Digital Information Bill in view of its expanded scope. We covered its contents in more detail on our blog, which if you’re curious you can find HERE.
The bill was to proceed to the second reading stage on the 5th of September but was instead withdrawn from that day’s House of Commons business “to allow ministers to consider the legislation further”. The motives for the withdrawal remain unclear but there has been speculation as to the changes (if any) that could be made to the draft. While we wait, the current legislative framework remains in force and the final law, if passed, will look considerably different from the draft. Our founder Nigel Gooding has kept his finger on the pulse of the bill since its announcement, with his analysis: Data, a New Direction?
Cyber attacks and Information Security Risks
There was a dramatic rise in the number of cybersecurity attacks suffered by organisations in the UK, and around the world, in 2022. The cost of a data breach reached an all-time high average of £3.6 million, according to IBM. In 2023, it is expected that the cost will rise to almost £4 Million on average.
These costs are driven in large part by ransomware attacks in which hackers encrypt essential files and demand payments (typically in cryptocurrency) for a key with which to unlock the files. Small businesses, schools, and even hospitals, have been victims of these attacks, prompting the National Cyber Security Centre to issue alerts urging organisations to integrate information security best practices as a matter of urgency.
Global Legislative Developments
Data privacy activity continues worldwide, as policymakers race against time to protect their citizens’ data. There is a long list of countries initiating processes to create or reform their data protection laws, including the US (American Data Privacy and Protection Act), Canada (Bill C27 – Artificial Intelligence and Data Act), Australia (Privacy Legislation Amendment Bill), and India (Digital Personal Data Protection Bill), amongst a plethora of others.
Each new law creates new standards and obligations that organisations must comply with, especially for organisations with a need to transfer personal data to and from the UK. International data transfers will become more important and face more scrutiny from regulators. Luckily, organisations can still operate efficiently without increasing their legal liability by conducting thorough transfer risk assessments to inform decision-making and provide the necessary evidence to comply with the GDPR’s accountability principle. We have covered international data transfer assessments in more depth on our blog.
Are you unsure about your business’ data protection? Consider taking out a data protection audit with DPAS. Alternatively, enroll your staff into our data protection training courses. You can view our upcoming schedule or get in touch to learn more.