Since the introduction of GDPR in 2018, the data protection landscape has seen a dramatic evolution. 2020 has brought with it several major shifts, including the landmark Schrems II ruling, the pressures of ensuring compliance during a rapid shift to remote working and the rise in the number of cyberattacks.
On top of this, the looming possibility of the UK’s transition period from the EU coming to an end without a deal meant there was a great deal to discuss at the Data Protection Virtual Summit on the 10th of December.
Across its three sessions, the summit’s speakers discussed how data protection has progressed, with insight from frontline practitioners reflecting on key trends, challenges, and best practice.
Protection and Privacy
The first session explored the case for data protection – from a regulatory perspective, a security perspective, and a business perspective.
Speakers in session one included ICO Regional Manager in Scotland Maureen Falconer, Head of Information and Cyber Security at NHS NSS Scott Barnett, and OneTrust Privacy Solutions Engineer Joseph Byrne.
Falconer noted that in adapting to the coronavirus pandemic, companies had to reassess their priorities. Data protection compliance and documentation understandably fell when ensuring business continuity became more important.
As such, the ICO had to balance enforcing regulations on struggling companies against a more pragmatic and supportive approach. It decided to take a proportionate approach based on how equipped the company was to deal with the investigation.
“We are committed to being an empathetic and pragmatic regulator, focusing on areas of greatest risks,” she said. “We will focus our efforts on the most serious risks and the greatest threats to the public. We recognise that organisations are having to react quickly to new risks and initiatives, and we will assist organisations by providing advice and guidance on data protection law where we can.”
As the year has gone by, the cybersecurity landscape has evolved as cyberattackers have ramped up attacks and taken advantage of uncertainties around Covid-19. The task of ensuring patient data is particularly important, and Barnett warned that security can’t stand still in the face of new cyber threats
Defending this data therefore requires an understanding of both the threats and the defences an organisation offers.
Finally, Byrne discussed how to explain the importance of privacy to senior management. He explained that privacy is more than just a regulatory requirement, or a way to avoid a reputational hit – it offers genuine tangible benefits to companies that implement privacy policies.
With concerns about data usage, establishing privacy into business practices can be a major selling point that offer a competitive advantage over competitors. Together, they agreed that the importance of privacy and data protection have ultimately risen over the past few decades, and with it the level of investment.
Session two saw a series of eight breakout sessions which discussed a wide variety of issues, including the importance of building compliance in data sharing or preventing and recovering from cyberattacks.
We also learnt about how to ensure children’s data is adequately protected under the Children’s Code, coming in September, along with tips on big data sharing in a post-Covid era.
Pladis Global Global Data Protection Controller Toby Hayes looked at the role of consent in data processing. He provided advice that to help understand consent as a category of personal data, along with nine conditions for using it.
To do this, he took five specific cases and established where consent was and was not needed for data tracking. He ultimately noted that while consent is a powerful tool, it is not always necessary and sometimes hinders data processing.
“There is no question that ethically it is generally the best one to go for. But it can often be the most difficult lawful basis to live with,” he said.
“Think about whether it is appropriate and then think about do you need special category personal data to achieve the outcome that you are after? Is there no other reasonable, less intrusive way to achieve it?”
- Leader Insights | The great privacy debate with Sorcha Lorimer, founder of Trace
- Data Protection Summit 2020 | The future of EU data transfers
- Leader Insights | Protecting your medical data with Elizabeth Fairley, Talking Medicines
With the Schrems II case being such a major event in data protection legislation, it was inevitable that talks would focus on it. Chief Privacy Officer at Refinitiv Vivienne Artz touched on the growing trends of localisation and sovereignty as philosophical bases of data protection legislation.
Schrems II has highlighted disparities between the EU and US and their different treatment of data, with emphasis on protection and surveillance, the location of data and the rights of the state to use this data will remain powerful factors in data usage around the world.
Finally, Research Director at the International Association of Privacy Professionals (IAPP) Caitlin Fennessy helped attendees understand the implications of the Schrems II ruling. With a growing number of cross-border data transfer regimes, companies around the world are having trouble adapting to the loss of Privacy Shield and the additional restrictions on Standard Contractual Clauses (SCCs).
With the Brexit talks ongoing, and the prospect of a no-deal waiting for 1st January 2021, there may be few options left for transferring data between the EU and the UK.
“Some privacy experts have suggested that the Schrems II decision makes adequacy decisions the only real path forward to enable data flows out of Europe,” she warned.