Marcus Grazette, Europe Policy Lead, Privitar shared his expert perspectives on the state of privacy policy and regulatory compliance trends for Data Privacy Day 2022.
Consolidation of data protection best practices
“In 2021 we saw significant efforts to close the implementation gap - this is the gap between legal requirements (often expressed as high level principles) and operational decisions. Regulators and industry bodies, among others, sought to clarify how organizations should operationalize the high level principles in data protection principles and laws. For example, the UK’s Information Commissioner’s Office (ICO) launched a consultation on updated guidance on anonymization and the Enterprise DataManagement Council, an industry body with 250+ members, developed their Cloud Data Management Capabilities Framework, an industry standard framework. We’re also seeing increasing recognition of the need for specific advice for sectors or technologies to complement the broader data protection regime. For instance, the ICO’s data protection in AI framework or the CDEI’s guide to adopting Privacy Enhancing Technologies (PETs). We expect that this trend will accelerate in 2022. We’ll see greater use of sector-specific case studies and industry-led initiatives to define and document best practice. These will help to increase an organization’s confidence that it is fully compliant.”
Conversations about trust dominate
“Conversations about ‘trust’ dominated in 2021. Organizations continued to invest heavily in compliance programs, and we started to see market leaders looking beyond compliance to embed responsible or ethical data use as a top priority. Organizations increasingly recognise that data use can cause harm to individuals, for example if an unfair or biased model is used to support decision making. Initiatives to ensure responsible data use are starting to emerge as an essential element of an organization’s corporate and social responsibility agenda. We expect this trend to continue into 2022 and beyond, as organizations develop internal processes and workflows to embed responsible data use. We believe that processes and workflows are critical to ensure a consistent approach, at scale, across all of an organization’s data assets.”
2022: The year of enforcement
“Debate around enforcement continued in 2021. Challenges around the ‘lead supervisory authority’ and the consistency mechanisms in GDPR (mainly Articles 60 and 65) mean that national regulators have struggled to hold global companies to account. For example, the Irish DPC’s ruling on Whatsapp revealed significant differences of opinion. Resource constraints are also a significant challenge for regulators. We see signs that this may be starting to change, including: (1) in the US, the launch of California’s privacy regulator to enforce CPRA and the potential for significant new funding for the FTC, (2) pressure on European regulators to up their game and action in related domains e.g. the Italian competition regulator’s fine against Amazon and (3) the UK courts closing down class action claims for damages arising from the ‘loss of control’ of personal data (e.g. in Lloyd v Google). Closing this legal avenue could put more pressure on the ICO to act in defence of individual rights. Action on ‘loss of control’ of data could be significant in the context of the ICO ramping up work on ad tech: the profiling and data collection fueling targeted advertising may use data in unexpected and unwelcome ways. Will 2022 be the year that regulators take enforcement up a notch?”
###